• Alexei Starovoitov's avatar
    bpf: add per-insn complexity limit · 43711294
    Alexei Starovoitov authored
    [ commit ceefbc96 upstream ]
    
    malicious bpf program may try to force the verifier to remember
    a lot of distinct verifier states.
    Put a limit to number of per-insn 'struct bpf_verifier_state'.
    Note that hitting the limit doesn't reject the program.
    It potentially makes the verifier do more steps to analyze the program.
    It means that malicious programs will hit BPF_COMPLEXITY_LIMIT_INSNS sooner
    instead of spending cpu time walking long link list.
    
    The limit of BPF_COMPLEXITY_LIMIT_STATES==64 affects cilium progs
    with slight increase in number of "steps" it takes to successfully verify
    the programs:
                           before    after
    bpf_lb-DLB_L3.o         1940      1940
    bpf_lb-DLB_L4.o         3089      3089
    bpf_lb-DUNKNOWN.o       1065      1065
    bpf_lxc-DDROP_ALL.o     28052  |  28162
    bpf_lxc-DUNKNOWN.o      35487  |  35541
    bpf_netdev.o            10864     10864
    bpf_overlay.o           6643      6643
    bpf_lcx_jit.o           38437     38437
    
    But it also makes malicious program to be rejected in 0.4 seconds vs 6.5
    Hence apply this limit to unprivileged programs only.
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarEdward Cree <ecree@solarflare.com>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    43711294
verifier.c 178 KB