fix "netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'"

Al Viro · Al Viro · commit 040ee69226f8 · 2018-01-05T11:43:39.000-05:00
Descriptor table is a shared object; it's not a place where you can stick temporary references to files, especially when we don't need an opened file at all. Cc: stable@vger.kernel.org # v4.14 Fixes: 98589a0 ("netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
@@ -419,6 +419,8 @@ static inline int bpf_map_attr_numa_node(const union bpf_attr *attr)
 		attr->numa_node : NUMA_NO_NODE;
 }
 
+struct bpf_prog *bpf_prog_get_type_path(const char *name, enum bpf_prog_type type);
+
 #else /* !CONFIG_BPF_SYSCALL */
 static inline struct bpf_prog *bpf_prog_get(u32 ufd)
 {
@@ -506,6 +508,12 @@ static inline int cpu_map_enqueue(struct bpf_cpu_map_entry *rcpu,
 {
 	return 0;
 }
+
+static inline struct bpf_prog *bpf_prog_get_type_path(const char *name,
+				enum bpf_prog_type type)
+{
+	return ERR_PTR(-EOPNOTSUPP);
+}
 #endif /* CONFIG_BPF_SYSCALL */
 
 static inline struct bpf_prog *bpf_prog_get_type(u32 ufd,
@@ -514,6 +522,8 @@ static inline struct bpf_prog *bpf_prog_get_type(u32 ufd,
 	return bpf_prog_get_type_dev(ufd, type, false);
 }
 
+bool bpf_prog_get_ok(struct bpf_prog *, enum bpf_prog_type *, bool);
+
 int bpf_prog_offload_compile(struct bpf_prog *prog);
 void bpf_prog_offload_destroy(struct bpf_prog *prog);
 
diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
@@ -368,7 +368,45 @@ int bpf_obj_get_user(const char __user *pathname, int flags)
 	putname(pname);
 	return ret;
 }
-EXPORT_SYMBOL_GPL(bpf_obj_get_user);
+
+static struct bpf_prog *__get_prog_inode(struct inode *inode, enum bpf_prog_type type)
+{
+	struct bpf_prog *prog;
+	int ret = inode_permission(inode, MAY_READ | MAY_WRITE);
+	if (ret)
+		return ERR_PTR(ret);
+
+	if (inode->i_op == &bpf_map_iops)
+		return ERR_PTR(-EINVAL);
+	if (inode->i_op != &bpf_prog_iops)
+		return ERR_PTR(-EACCES);
+
+	prog = inode->i_private;
+
+	ret = security_bpf_prog(prog);
+	if (ret < 0)
+		return ERR_PTR(ret);
+
+	if (!bpf_prog_get_ok(prog, &type, false))
+		return ERR_PTR(-EINVAL);
+
+	return bpf_prog_inc(prog);
+}
+
+struct bpf_prog *bpf_prog_get_type_path(const char *name, enum bpf_prog_type type)
+{
+	struct bpf_prog *prog;
+	struct path path;
+	int ret = kern_path(name, LOOKUP_FOLLOW, &path);
+	if (ret)
+		return ERR_PTR(ret);
+	prog = __get_prog_inode(d_backing_inode(path.dentry), type);
+	if (!IS_ERR(prog))
+		touch_atime(&path);
+	path_put(&path);
+	return prog;
+}
+EXPORT_SYMBOL(bpf_prog_get_type_path);
 
 static void bpf_evict_inode(struct inode *inode)
 {
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
@@ -1057,7 +1057,7 @@ struct bpf_prog *bpf_prog_inc_not_zero(struct bpf_prog *prog)
 }
 EXPORT_SYMBOL_GPL(bpf_prog_inc_not_zero);
 
-static bool bpf_prog_get_ok(struct bpf_prog *prog,
+bool bpf_prog_get_ok(struct bpf_prog *prog,
 			    enum bpf_prog_type *attach_type, bool attach_drv)
 {
 	/* not an attachment, just a refcount inc, always allow */
diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
@@ -52,18 +52,8 @@ static int __bpf_mt_check_fd(int fd, struct bpf_prog **ret)
 
 static int __bpf_mt_check_path(const char *path, struct bpf_prog **ret)
 {
-	mm_segment_t oldfs = get_fs();
-	int retval, fd;
-
-	set_fs(KERNEL_DS);
-	fd = bpf_obj_get_user(path, 0);
-	set_fs(oldfs);
-	if (fd < 0)
-		return fd;
-
-	retval = __bpf_mt_check_fd(fd, ret);
-	sys_close(fd);
-	return retval;
+	*ret = bpf_prog_get_type_path(path, BPF_PROG_TYPE_SOCKET_FILTER);
+	return PTR_ERR_OR_ZERO(*ret);
 }
 
 static int bpf_mt_check(const struct xt_mtchk_param *par)

Original file line number	Diff line number	Diff line change
`@@ -419,6 +419,8 @@ static inline int bpf_map_attr_numa_node(const union bpf_attr *attr)`
`419`	`419`	`attr->numa_node : NUMA_NO_NODE;`
`420`	`420`	`}`
`421`	`421`
	`422`	`+struct bpf_prog bpf_prog_get_type_path(const char name, enum bpf_prog_type type);`
	`423`	`+`
`422`	`424`	`#else /* !CONFIG_BPF_SYSCALL */`
`423`	`425`	`static inline struct bpf_prog *bpf_prog_get(u32 ufd)`
`424`	`426`	`{`
`@@ -506,6 +508,12 @@ static inline int cpu_map_enqueue(struct bpf_cpu_map_entry *rcpu,`
`506`	`508`	`{`
`507`	`509`	`return 0;`
`508`	`510`	`}`
	`511`	`+`
	`512`	`+static inline struct bpf_prog bpf_prog_get_type_path(const char name,`
	`513`	`+ enum bpf_prog_type type)`
	`514`	`+{`
	`515`	`+ return ERR_PTR(-EOPNOTSUPP);`
	`516`	`+}`
`509`	`517`	`#endif /* CONFIG_BPF_SYSCALL */`
`510`	`518`
`511`	`519`	`static inline struct bpf_prog *bpf_prog_get_type(u32 ufd,`
`@@ -514,6 +522,8 @@ static inline struct bpf_prog *bpf_prog_get_type(u32 ufd,`
`514`	`522`	`return bpf_prog_get_type_dev(ufd, type, false);`
`515`	`523`	`}`
`516`	`524`
	`525`	`+bool bpf_prog_get_ok(struct bpf_prog , enum bpf_prog_type , bool);`
	`526`	`+`
`517`	`527`	`int bpf_prog_offload_compile(struct bpf_prog *prog);`
`518`	`528`	`void bpf_prog_offload_destroy(struct bpf_prog *prog);`
`519`	`529`
Original file line number	Diff line number	Diff line change
`@@ -1057,7 +1057,7 @@ struct bpf_prog bpf_prog_inc_not_zero(struct bpf_prog prog)`
`1057`	`1057`	`}`
`1058`	`1058`	`EXPORT_SYMBOL_GPL(bpf_prog_inc_not_zero);`
`1059`	`1059`
`1060`		`-static bool bpf_prog_get_ok(struct bpf_prog *prog,`
	`1060`	`+bool bpf_prog_get_ok(struct bpf_prog *prog,`
`1061`	`1061`	`enum bpf_prog_type *attach_type, bool attach_drv)`
`1062`	`1062`	`{`
`1063`	`1063`	`/* not an attachment, just a refcount inc, always allow */`