bpf: check pending signals while verifying programs

[ Upstream commit c3494801cd1785e2c25f1a5735fa19ddcf9665da ] Malicious user space may try to force the verifier to use as much cpu time and memory as possible. Hence check for pending signals while verifying the program. Note that suspend of sys_bpf(PROG_LOAD) syscall will lead to EAGAIN, since the kernel has to release the resources used for program verification. Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Edward Cree <ecree@solarflare.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Alexei Starovoitov <ast@kernel.org> 2018-12-04 09:46:04 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-12-21 16:15:21 +0300
commit: 6ffd9f25c0e957ade0afb0a437cfc08cd31deffc (patch)
tree: 448b0b0618c7b2d3e2b36d781838a66f88e5658b /kernel
parent: efda3b1d90e50e9af078a7248909acfd8f13cc0a (diff)
download: linux-6ffd9f25c0e957ade0afb0a437cfc08cd31deffc.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 56acfbb80104..2954e4b3abd5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4792,6 +4792,9 @@ static int do_check(struct bpf_verifier_env *env)
 			goto process_bpf_exit;
 		}
 
+		if (signal_pending(current))
+			return -EAGAIN;
+
 		if (need_resched())
 			cond_resched();
author	Alexei Starovoitov <ast@kernel.org>	2018-12-04 09:46:04 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-12-21 16:15:21 +0300
commit	6ffd9f25c0e957ade0afb0a437cfc08cd31deffc (patch)
tree	448b0b0618c7b2d3e2b36d781838a66f88e5658b /kernel
parent	efda3b1d90e50e9af078a7248909acfd8f13cc0a (diff)
download	linux-6ffd9f25c0e957ade0afb0a437cfc08cd31deffc.tar.xz