diff options
| author | Anay Wadhera <awadhera@berkeley.edu> | 2021-05-20 21:56:43 -0700 |
|---|---|---|
| committer | Michael Bestas <mkbestas@lineageos.org> | 2022-04-19 00:49:44 +0300 |
| commit | fbd2037fcf5dd7b668cce94a91b20b2b4af19f93 (patch) | |
| tree | 3d346de805297a061d03793259dba58f505f49e3 /kernel/bpf/arraymap.c | |
| parent | 980add4490a19cbf5b73938a2b52278bf3ba8266 (diff) | |
Revert "bpf: prevent out-of-bounds speculation"
This reverts commit 9a7fad4c0e215fb1c256fee27c45f9f8bc4364c5.
Signed-off-by: Chatur27 <jasonbright2709@gmail.com>
Diffstat (limited to 'kernel/bpf/arraymap.c')
| -rw-r--r-- | kernel/bpf/arraymap.c | 24 |
1 files changed, 5 insertions, 19 deletions
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c index 56f8a8306a49..b0799bced518 100644 --- a/kernel/bpf/arraymap.c +++ b/kernel/bpf/arraymap.c @@ -20,9 +20,8 @@ /* Called from syscall */ static struct bpf_map *array_map_alloc(union bpf_attr *attr) { - u32 elem_size, array_size, index_mask, max_entries; - bool unpriv = !capable(CAP_SYS_ADMIN); struct bpf_array *array; + u32 elem_size, array_size; /* check sanity of attributes */ if (attr->max_entries == 0 || attr->key_size != 4 || @@ -37,21 +36,12 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) elem_size = round_up(attr->value_size, 8); - max_entries = attr->max_entries; - index_mask = roundup_pow_of_two(max_entries) - 1; - - if (unpriv) - /* round up array size to nearest power of 2, - * since cpu will speculate within index_mask limits - */ - max_entries = index_mask + 1; - /* check round_up into zero and u32 overflow */ if (elem_size == 0 || - max_entries > (U32_MAX - PAGE_SIZE - sizeof(*array)) / elem_size) + attr->max_entries > (U32_MAX - PAGE_SIZE - sizeof(*array)) / elem_size) return ERR_PTR(-ENOMEM); - array_size = sizeof(*array) + max_entries * elem_size; + array_size = sizeof(*array) + attr->max_entries * elem_size; /* allocate all map elements and zero-initialize them */ array = kzalloc(array_size, GFP_USER | __GFP_NOWARN); @@ -60,8 +50,6 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) if (!array) return ERR_PTR(-ENOMEM); } - array->index_mask = index_mask; - array->map.unpriv_array = unpriv; /* copy mandatory map attributes */ array->map.key_size = attr->key_size; @@ -82,7 +70,7 @@ static void *array_map_lookup_elem(struct bpf_map *map, void *key) if (index >= array->map.max_entries) return NULL; - return array->value + array->elem_size * (index & array->index_mask); + return array->value + array->elem_size * index; } /* Called from syscall */ @@ -123,9 +111,7 @@ static int array_map_update_elem(struct bpf_map *map, void *key, void *value, /* all elements already exist */ return -EEXIST; - memcpy(array->value + - array->elem_size * (index & array->index_mask), - value, map->value_size); + memcpy(array->value + array->elem_size * index, value, map->value_size); return 0; } |