• Daniel Borkmann's avatar
    bpf: add bpf_jit_limit knob to restrict unpriv allocations · ede95a63
    Daniel Borkmann authored
    Rick reported that the BPF JIT could potentially fill the entire module
    space with BPF programs from unprivileged users which would prevent later
    attempts to load normal kernel modules or privileged BPF programs, for
    example. If JIT was enabled but unsuccessful to generate the image, then
    before commit 290af866 ("bpf: introduce BPF_JIT_ALWAYS_ON config")
    we would always fall back to the BPF interpreter. Nowadays in the case
    where the CONFIG_BPF_JIT_ALWAYS_ON could be set, then the load will abort
    with a failure since the BPF interpreter was compiled out.
    
    Add a global limit and enforce it for unprivileged users such that in case
    of BPF interpreter compiled out we fail once the limit has been reached
    or we fall back to BPF interpreter earlier w/o using module mem if latter
    was compiled in. In a next step, fair share among unprivileged users can
    be resolved in particular for the case where we would fail hard once limit
    is reached.
    
    Fixes: 290af866 ("bpf: introduce BPF_JIT_ALWAYS_ON config")
    Fixes: 0a14842f ("net: filter: Just In Time compiler for x86-64")
    Co-Developed-by: default avatarRick Edgecombe <rick.p.edgecombe@intel.com>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: Jann Horn <jannh@google.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: LKML <linux-kernel@vger.kernel.org>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    ede95a63
sysctl_net_core.c 13.4 KB