On Mon, May 25, 2020 at 04:39:40PM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
The patch below does not apply to the 5.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable@xxxxxxxxxxxxxxx>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From dfeb376dd4cb2c5004aeb625e2475f58a5ff2ea7 Mon Sep 17 00:00:00 2001 From: Andrii Nakryiko <andriin@xxxxxx> Date: Mon, 18 May 2020 22:38:24 -0700 Subject: [PATCH] bpf: Prevent mmap()'ing read-only maps as writable As discussed in [0], it's dangerous to allow mapping BPF map, that's meant to be frozen and is read-only on BPF program side, because that allows user-space to actually store a writable view to the page even after it is frozen. This is exacerbated by BPF verifier making a strong assumption that contents of such frozen map will remain unchanged. To prevent this, disallow mapping BPF_F_RDONLY_PROG mmap()'able BPF maps as writable, ever. [0] https://lore.kernel.org/bpf/CAEf4BzYGWYhXdp6BJ7_=9OQPJxQpgug080MMjdSB72i9R+5c6g@xxxxxxxxxxxxxx/ Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY") Suggested-by: Jann Horn <jannh@xxxxxxxxxx> Signed-off-by: Andrii Nakryiko <andriin@xxxxxx> Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx> Reviewed-by: Jann Horn <jannh@xxxxxxxxxx> Link: https://lore.kernel.org/bpf/20200519053824.1089415-1-andriin@xxxxxx
I've adjusted context in the selftest update and queued it up. -- Thanks, Sasha
