[SRU Focal] LP: #1888507 Allow BPF programs on s390x to read user memory

[Stefan Bader]

On 26.08.20 22:30, Thadeu Lima de Souza Cascardo wrote:
> BugLink: https://bugs.launchpad.net/bugs/1888507
> 
> [Impact]
> Some bpf programs will fail to execute on s390x, returning EFAULT when they
> should be able to read user memory.
> 
> [Test case]
> apt-get source linux
> mkdir -p /usr/lib/perf/
> cp -a linux-5.4.0/tools/perf/include /usr/lib/perf/
> probe_read=$(grep -w probe_read /usr/lib/perf/include/bpf/bpf.h)
> probe_read_user=${probe_read//read/read_user}
> sed -i "/probe_read)/i$probe_read_user" /usr/lib/perf/include/bpf/bpf.h
> probe_read_user_str=${probe_read//read/read_user_str}
> sed -i "/probe_read)/i$probe_read_user_str" /usr/lib/perf/include/bpf/bpf.h
> 
> ed - linux-5.4.0/tools/perf/examples/bpf/augmented_raw_syscalls.c << EOF
> 100c
> int string_len = probe_read_user_str(&augmented_arg->value, arg_len, arg);
> .
> w
> EOF
> perf trace -eopenat,augmented_raw_syscalls.c cat /etc/passwd > /dev/null
> 
> You should see:
>      0.332 ( 0.002 ms): cat/3223 openat(dfd: CWD, filename: "/etc/passwd") = 3
> instead of
>      0.334 ( 0.003 ms): cat/3739 openat(dfd: CWD, filename: "") = 3
> 
> [Potential regressions]
> One potential regression is that unprivileged code can be able to exploit the
> changes to read or write kernel memory.

That sounds like a rather grave risk compared to the not quite clear benefits.
Also all code changes are in either generic or even x86 code. How does that
allow s390x to be fixed? How long has this been upstream?

Also there is no complete justification (at least not the regression potential
in the bug report).

-Stefan
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200827/8a8882f5/attachment-0001.sig>