[PATCH 4.19 087/103] bpf: add per-insn complexity limit

From: Greg Kroah-Hartman
Date: Tue Jan 29 2019 - 07:00:31 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.19 082/103] vt: make vt_console_print() compatible with the unicode screen buffer"
Previous message: Greg Kroah-Hartman: "[PATCH 4.19 090/103] bpf: enable access to ax register also from verifier rewrite"
In reply to: Greg Kroah-Hartman: "[PATCH 4.19 090/103] bpf: enable access to ax register also from verifier rewrite"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.19 082/103] vt: make vt_console_print() compatible with the unicode screen buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4.19-stable review patch. If anyone has any objections, please let me know.

------------------

[ commit ceefbc96fa5c5b975d87bf8e89ba8416f6b764d9 upstream ]

malicious bpf program may try to force the verifier to remember
a lot of distinct verifier states.
Put a limit to number of per-insn 'struct bpf_verifier_state'.
Note that hitting the limit doesn't reject the program.
It potentially makes the verifier do more steps to analyze the program.
It means that malicious programs will hit BPF_COMPLEXITY_LIMIT_INSNS sooner
instead of spending cpu time walking long link list.

The limit of BPF_COMPLEXITY_LIMIT_STATES==64 affects cilium progs
with slight increase in number of "steps" it takes to successfully verify
the programs:
before after
bpf_lb-DLB_L3.o 1940 1940
bpf_lb-DLB_L4.o 3089 3089
bpf_lb-DUNKNOWN.o 1065 1065
bpf_lxc-DDROP_ALL.o 28052 | 28162
bpf_lxc-DUNKNOWN.o 35487 | 35541
bpf_netdev.o 10864 10864
bpf_overlay.o 6643 6643
bpf_lcx_jit.o 38437 38437

But it also makes malicious program to be rejected in 0.4 seconds vs 6.5
Hence apply this limit to unprivileged programs only.

Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Acked-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Acked-by: Edward Cree <ecree@xxxxxxxxxxxxxx>
Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
kernel/bpf/verifier.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 3d093003c723..2bbb98535b70 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -156,6 +156,7 @@ struct bpf_verifier_stack_elem {

#define BPF_COMPLEXITY_LIMIT_INSNS 131072
#define BPF_COMPLEXITY_LIMIT_STACK 1024
+#define BPF_COMPLEXITY_LIMIT_STATES 64

#define BPF_MAP_PTR_UNPRIV 1UL
#define BPF_MAP_PTR_POISON ((void *)((0xeB9FUL << 1) + \
@@ -4735,7 +4736,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
struct bpf_verifier_state_list *new_sl;
struct bpf_verifier_state_list *sl;
struct bpf_verifier_state *cur = env->cur_state;
- int i, j, err;
+ int i, j, err, states_cnt = 0;

sl = env->explored_states[insn_idx];
if (!sl)
@@ -4762,8 +4763,12 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
return 1;
}
sl = sl->next;
+ states_cnt++;
}

+ if (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES)
+ return 0;
+
/* there were no equivalent states, remember current one.
* technically the current state is not proven to be safe yet,
* but it will either reach outer most bpf_exit (which means it's safe)
--
2.19.1

Next message: Greg Kroah-Hartman: "[PATCH 4.19 082/103] vt: make vt_console_print() compatible with the unicode screen buffer"
Previous message: Greg Kroah-Hartman: "[PATCH 4.19 090/103] bpf: enable access to ax register also from verifier rewrite"
In reply to: Greg Kroah-Hartman: "[PATCH 4.19 090/103] bpf: enable access to ax register also from verifier rewrite"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.19 082/103] vt: make vt_console_print() compatible with the unicode screen buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]