review.tizen.org Git - platform/kernel/linux-rpi3.git/commit

author	Alexei Starovoitov <ast@kernel.org>
	Mon, 28 Jan 2019 20:28:20 +0000 (21:28 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 31 Jan 2019 07:14:40 +0000 (08:14 +0100)
commit	437112946263de65ac32be20a040ce77b31926b7
tree	a2d193753d7c8985409862e2aa041b370ddaa16e	tree \| snapshot
parent	7da6cd690c436cad101b23e1e54aa3f27f55088b	commit \| diff

bpf: add per-insn complexity limit

[ commit ceefbc96fa5c5b975d87bf8e89ba8416f6b764d9 upstream ]

malicious bpf program may try to force the verifier to remember
a lot of distinct verifier states.
Put a limit to number of per-insn 'struct bpf_verifier_state'.
Note that hitting the limit doesn't reject the program.
It potentially makes the verifier do more steps to analyze the program.
It means that malicious programs will hit BPF_COMPLEXITY_LIMIT_INSNS sooner
instead of spending cpu time walking long link list.

The limit of BPF_COMPLEXITY_LIMIT_STATES==64 affects cilium progs
with slight increase in number of "steps" it takes to successfully verify
the programs:
                       before    after
bpf_lb-DLB_L3.o         1940      1940
bpf_lb-DLB_L4.o         3089      3089
bpf_lb-DUNKNOWN.o       1065      1065
bpf_lxc-DDROP_ALL.o     28052  |  28162
bpf_lxc-DUNKNOWN.o      35487  |  35541
bpf_netdev.o            10864     10864
bpf_overlay.o           6643      6643
bpf_lcx_jit.o           38437     38437

But it also makes malicious program to be rejected in 0.4 seconds vs 6.5
Hence apply this limit to unprivileged programs only.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>