summaryrefslogtreecommitdiffstats
path: root/lib/livepatch
diff options
context:
space:
mode:
authorAndrii Nakryiko <andriin@fb.com>2020-04-10 13:26:12 -0700
committerDaniel Borkmann <daniel@iogearbox.net>2020-04-14 21:28:57 +0200
commit1f6cb19be2e231fe092f40decb71f066eba090d7 (patch)
treef403308df2df8c60baedaa5eed2444e617e320f0 /lib/livepatch
parent4178417cc5359c329790a4a8f4a6604612338cca (diff)
downloadlinux-stable-1f6cb19be2e231fe092f40decb71f066eba090d7.tar.gz
linux-stable-1f6cb19be2e231fe092f40decb71f066eba090d7.tar.bz2
linux-stable-1f6cb19be2e231fe092f40decb71f066eba090d7.zip
bpf: Prevent re-mmap()'ing BPF map as writable for initially r/o mapping
VM_MAYWRITE flag during initial memory mapping determines if already mmap()'ed pages can be later remapped as writable ones through mprotect() call. To prevent user application to rewrite contents of memory-mapped as read-only and subsequently frozen BPF map, remove VM_MAYWRITE flag completely on initially read-only mapping. Alternatively, we could treat any memory-mapping on unfrozen map as writable and bump writecnt instead. But there is little legitimate reason to map BPF map as read-only and then re-mmap() it as writable through mprotect(), instead of just mmap()'ing it as read/write from the very beginning. Also, at the suggestion of Jann Horn, drop unnecessary refcounting in mmap operations. We can just rely on VMA holding reference to BPF map's file properly. Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY") Reported-by: Jann Horn <jannh@google.com> Signed-off-by: Andrii Nakryiko <andriin@fb.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Jann Horn <jannh@google.com> Link: https://lore.kernel.org/bpf/20200410202613.3679837-1-andriin@fb.com
Diffstat (limited to 'lib/livepatch')
0 files changed, 0 insertions, 0 deletions