From: dborkman@redhat.com (Daniel Borkmann)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH arm64-next] net: bpf: arm64: address randomize and write protect JIT code
Date: Fri, 12 Sep 2014 18:21:27 +0200 [thread overview]
Message-ID: <54131D87.9060008@redhat.com> (raw)
In-Reply-To: <20140912160345.GF5532@arm.com>
On 09/12/2014 06:03 PM, Catalin Marinas wrote:
> Daniel,
>
> On Fri, Sep 12, 2014 at 08:11:37AM +0100, Daniel Borkmann wrote:
>> Will, Catalin, Dave, this is more or less a heads-up: when net-next and
>> arm64-next tree will get both merged into Linus' tree, we will run into
>> a 'silent' merge conflict until someone actually runs eBPF JIT on ARM64
>> and might notice (I presume) an oops when JIT is freeing bpf_prog. I'd
>> assume nobody actually _runs_ linux-next, but not sure about that though.
>
> Some people do.
>
>> How do we handle this? Would I need to resend this patch when the time
>> comes or would you ARM64 guys take care of it automagically? ;)
>
> I think we could disable BPF for arm64 until -rc1 and re-enable it
> together with this patch.
Ok, yes, that would mitigate it a bit. Sounds fine to me.
> One comment below:
>
>> --- a/arch/arm64/net/bpf_jit_comp.c
>> +++ b/arch/arm64/net/bpf_jit_comp.c
> [...]
>> +static void jit_fill_hole(void *area, unsigned int size)
>> +{
>> + /* Insert illegal UND instructions. */
>> + u32 *ptr, fill_ins = 0xe7ffffff;
>
> On arm64 we don't have a guaranteed undefined instruction space (and
> Will tells me that on Thumb-2 for the 32-bit arm port it actually is a
> valid instruction, it seems that you used the same value).
Hm, ok, the boards we've tried out and where Zi tested it too, it worked.
> I think the only guaranteed way is to use the BRK #imm instruction but
> it requires some changes to the handling code as it is currently used
> for kgdb (unless you can use two instructions for filling in which could
> generate a NULL pointer access).
The trade-off would be that if we align on 8, it would certainly increase
the probability to jump to the right offset. Note, on x86_64 we have no
alignment requirements, hence 1, and on s390x only alignment of 2.
So, on that few (?) boards where UND would be a valid instruction [ as
opposed to crash the kernel ], would it translate into a NOP and just
'walk' from there into the JIT image?
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Borkmann <dborkman@redhat.com>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <Will.Deacon@arm.com>,
"davem@davemloft.net" <davem@davemloft.net>,
"zlim.lnx@gmail.com" <zlim.lnx@gmail.com>,
"ast@plumgrid.com" <ast@plumgrid.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH arm64-next] net: bpf: arm64: address randomize and write protect JIT code
Date: Fri, 12 Sep 2014 18:21:27 +0200 [thread overview]
Message-ID: <54131D87.9060008@redhat.com> (raw)
In-Reply-To: <20140912160345.GF5532@arm.com>
On 09/12/2014 06:03 PM, Catalin Marinas wrote:
> Daniel,
>
> On Fri, Sep 12, 2014 at 08:11:37AM +0100, Daniel Borkmann wrote:
>> Will, Catalin, Dave, this is more or less a heads-up: when net-next and
>> arm64-next tree will get both merged into Linus' tree, we will run into
>> a 'silent' merge conflict until someone actually runs eBPF JIT on ARM64
>> and might notice (I presume) an oops when JIT is freeing bpf_prog. I'd
>> assume nobody actually _runs_ linux-next, but not sure about that though.
>
> Some people do.
>
>> How do we handle this? Would I need to resend this patch when the time
>> comes or would you ARM64 guys take care of it automagically? ;)
>
> I think we could disable BPF for arm64 until -rc1 and re-enable it
> together with this patch.
Ok, yes, that would mitigate it a bit. Sounds fine to me.
> One comment below:
>
>> --- a/arch/arm64/net/bpf_jit_comp.c
>> +++ b/arch/arm64/net/bpf_jit_comp.c
> [...]
>> +static void jit_fill_hole(void *area, unsigned int size)
>> +{
>> + /* Insert illegal UND instructions. */
>> + u32 *ptr, fill_ins = 0xe7ffffff;
>
> On arm64 we don't have a guaranteed undefined instruction space (and
> Will tells me that on Thumb-2 for the 32-bit arm port it actually is a
> valid instruction, it seems that you used the same value).
Hm, ok, the boards we've tried out and where Zi tested it too, it worked.
> I think the only guaranteed way is to use the BRK #imm instruction but
> it requires some changes to the handling code as it is currently used
> for kgdb (unless you can use two instructions for filling in which could
> generate a NULL pointer access).
The trade-off would be that if we align on 8, it would certainly increase
the probability to jump to the right offset. Note, on x86_64 we have no
alignment requirements, hence 1, and on s390x only alignment of 2.
So, on that few (?) boards where UND would be a valid instruction [ as
opposed to crash the kernel ], would it translate into a NOP and just
'walk' from there into the JIT image?
next prev parent reply other threads:[~2014-09-12 16:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-12 7:11 [PATCH arm64-next] net: bpf: arm64: address randomize and write protect JIT code Daniel Borkmann
2014-09-12 7:11 ` Daniel Borkmann
2014-09-12 16:03 ` Catalin Marinas
2014-09-12 16:03 ` Catalin Marinas
2014-09-12 16:21 ` Daniel Borkmann [this message]
2014-09-12 16:21 ` Daniel Borkmann
2014-09-12 16:46 ` Catalin Marinas
2014-09-12 16:46 ` Catalin Marinas
2014-09-12 17:10 ` Will Deacon
2014-09-12 17:10 ` Will Deacon
2014-09-12 17:16 ` Daniel Borkmann
2014-09-12 17:16 ` Daniel Borkmann
2014-09-12 17:21 ` Catalin Marinas
2014-09-12 17:21 ` Catalin Marinas
2014-09-12 17:39 ` Daniel Borkmann
2014-09-12 17:39 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54131D87.9060008@redhat.com \
--to=dborkman@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.