net: bpf: arm: address randomize and write protect JIT code - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Daniel Borkmann <dborkman@redhat.com>	2014-09-08 10:04:48 +0400
committer	David S. Miller <davem@davemloft.net>	2014-09-10 03:58:56 +0400
commit	55309dd3d4cd7420376a3de0526d6ed24ff8fa76 (patch)
tree	b1e5f70c1930fe58e534ef5371835b56b7bf3519 /arch/powerpc/net
parent	738cbe72adc5c8f2016c4c68aa5162631d4f27e1 (diff)
download	linux-55309dd3d4cd7420376a3de0526d6ed24ff8fa76.tar.xz

net: bpf: arm: address randomize and write protect JIT code

This is the ARM variant for 314beb9bcab ("x86: bpf_jit_comp: secure bpf jit against spraying attacks"). It is now possible to implement it due to commits 75374ad47c64 ("ARM: mm: Define set_memory_* functions for ARM") and dca9aa92fc7c ("ARM: add DEBUG_SET_MODULE_RONX option to Kconfig") which added infrastructure for this facility. Thus, this patch makes sure the BPF generated JIT code is marked RO, as other kernel text sections, and also lets the generated JIT code start at a pseudo random offset instead on a page boundary. The holes are filled with illegal instructions. JIT tested on armv7hl with BPF test suite. Reference: http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Acked-by: Mircea Gherzan <mgherzan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'arch/powerpc/net')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: