OpenE2K/linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
82b1b2ec5d
linux/kernel/bpf
History
Alexei Starovoitov ceefbc96fa bpf: add per-insn complexity limit 
malicious bpf program may try to force the verifier to remember
a lot of distinct verifier states.
Put a limit to number of per-insn 'struct bpf_verifier_state'.
Note that hitting the limit doesn't reject the program.
It potentially makes the verifier do more steps to analyze the program.
It means that malicious programs will hit BPF_COMPLEXITY_LIMIT_INSNS sooner
instead of spending cpu time walking long link list.

The limit of BPF_COMPLEXITY_LIMIT_STATES==64 affects cilium progs
with slight increase in number of "steps" it takes to successfully verify
the programs:
                       before    after
bpf_lb-DLB_L3.o         1940      1940
bpf_lb-DLB_L4.o         3089      3089
bpf_lb-DUNKNOWN.o       1065      1065
bpf_lxc-DDROP_ALL.o     28052  |  28162
bpf_lxc-DUNKNOWN.o      35487  |  35541
bpf_netdev.o            10864     10864
bpf_overlay.o           6643      6643
bpf_lcx_jit.o           38437     38437

But it also makes malicious program to be rejected in 0.4 seconds vs 6.5
Hence apply this limit to unprivileged programs only.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2018-12-04 17:22:02 +01:00
..
arraymap.c bpf: return EOPNOTSUPP when map lookup isn't supported 2018-10-09 21:52:20 -07:00
bpf_lru_list.c
bpf_lru_list.h
btf.c bpf: btf: check name validity for various types 2018-11-28 16:03:04 -08:00
cgroup.c bpf: add cg_skb_is_valid_access for BPF_PROG_TYPE_CGROUP_SKB 2018-10-19 13:49:34 -07:00
core.c bpf, ppc64: generalize fetching subprog into bpf_jit_get_func_addr 2018-11-26 17:34:24 -08:00
cpumap.c bpf: fix redirect to map under tail calls 2018-08-17 15:56:23 -07:00
devmap.c bpf: devmap: fix wrong interface selection in notifier_call 2018-10-26 00:32:21 +02:00
disasm.c bpf: Remove struct bpf_verifier_env argument from print_bpf_insn 2018-03-23 17:38:57 +01:00
disasm.h bpf: Remove struct bpf_verifier_env argument from print_bpf_insn 2018-03-23 17:38:57 +01:00
hashtab.c bpf: add bpffs pretty print for percpu arraymap/hash/lru_hash 2018-08-30 14:03:53 +02:00
helpers.c bpf: fix direct packet write into pop/peek helpers 2018-10-25 17:02:06 -07:00
inode.c bpf: decouple btf from seq bpf fs dump and enable more maps 2018-08-13 00:52:45 +02:00
local_storage.c bpf: allocate local storage buffers using GFP_ATOMIC 2018-11-16 21:17:49 -08:00
lpm_trie.c bpf: decouple btf from seq bpf fs dump and enable more maps 2018-08-13 00:52:45 +02:00
Makefile bpf: add queue and stack maps 2018-10-19 13:24:31 -07:00
map_in_map.c bpf: don't allow create maps of per-cpu cgroup local storages 2018-10-01 16:18:33 +02:00
map_in_map.h
offload.c bpf: add verifier callback to get stack usage info for offloaded progs 2018-10-08 10:24:12 +02:00
percpu_freelist.c
percpu_freelist.h
queue_stack_maps.c bpf: fix integer overflow in queue_stack_map 2018-11-22 21:29:40 +01:00
reuseport_array.c bpf: Introduce BPF_MAP_TYPE_REUSEPORT_SOCKARRAY 2018-08-11 01:58:46 +02:00
stackmap.c bpf: rename stack trace map operations 2018-10-19 13:24:30 -07:00
syscall.c bpf: fix bpf_prog_get_info_by_fd to return 0 func_lens for unpriv 2018-11-02 13:51:15 -07:00
tnum.c bpf/verifier: improve register value range tracking with ARSH 2018-04-29 08:45:53 -07:00
verifier.c bpf: add per-insn complexity limit 2018-12-04 17:22:02 +01:00
xskmap.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-10-19 11:03:06 -07:00