mbox series

[bpf-next,0/3] test_bpf.ko blinding fixes

Message ID 20241104200452.2651529-1-minipli@grsecurity.net (mailing list archive)
Headers show
Series test_bpf.ko blinding fixes | expand

Message

Mathias Krause Nov. 4, 2024, 8:04 p.m. UTC 
With BPF constant blinding enabled, various tests exercising jump offset
limits currently fail because size assumptions in the code no longer
apply. The created BPF program will be expanded through BPF constant
blinding, pushing jump target offsets over the limit.

This small series fixes these by either avoiding the use of instructions
with immediate values (patch 1) or accounting for the expansion (patch
3).

Before:
root@box:~# sysctl net.core.bpf_jit_harden=2
root@box:~# insmod test_bpf.ko
insmod: ERROR: could not insert module test_bpf.ko: Invalid parameters
root@box:~# dmesg | grep Summary
[  177.628099] test_bpf: Summary: 1000 PASSED, 49 FAILED, [988/988 JIT'ed]

After:
root@box:~# sysctl net.core.bpf_jit_harden=2
root@box:~# insmod test_bpf.ko
root@box:~# dmesg | grep Summary
[  220.437597] test_bpf: Summary: 1049 PASSED, 0 FAILED, [1037/1037 JIT'ed]
[  220.477987] test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed]
[  220.480525] test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED


Please apply!

Thanks,
Mathias


Mathias Krause (3):
  bpf/tests: Make max jump tests constant blinding compatible
  bpf: Allow calling bpf_jit_blinding_enabled() with a NULL program
  bpf/tests: Make staggered jump tests constant blinding compatible

 include/linux/filter.h |  5 +++--
 kernel/bpf/core.c      |  3 +++
 kernel/bpf/token.c     |  3 +++
 lib/test_bpf.c         | 21 ++++++++++++++++++---
 4 files changed, 27 insertions(+), 5 deletions(-)