diff options
| author | Alexei Starovoitov <ast@kernel.org> | 2018-12-03 22:46:06 -0800 |
|---|---|---|
| committer | Daniel Borkmann <daniel@iogearbox.net> | 2018-12-04 17:22:02 +0100 |
| commit | ceefbc96fa5c5b975d87bf8e89ba8416f6b764d9 (patch) | |
| tree | 46ba4c3e98ffb4eb565dfce9b0bb2fda5ef35ead /drivers/fpga/zynq-fpga.c | |
| parent | 4f7b3e82589e0de723780198ec7983e427144c0a (diff) | |
bpf: add per-insn complexity limit
malicious bpf program may try to force the verifier to remember
a lot of distinct verifier states.
Put a limit to number of per-insn 'struct bpf_verifier_state'.
Note that hitting the limit doesn't reject the program.
It potentially makes the verifier do more steps to analyze the program.
It means that malicious programs will hit BPF_COMPLEXITY_LIMIT_INSNS sooner
instead of spending cpu time walking long link list.
The limit of BPF_COMPLEXITY_LIMIT_STATES==64 affects cilium progs
with slight increase in number of "steps" it takes to successfully verify
the programs:
before after
bpf_lb-DLB_L3.o 1940 1940
bpf_lb-DLB_L4.o 3089 3089
bpf_lb-DUNKNOWN.o 1065 1065
bpf_lxc-DDROP_ALL.o 28052 | 28162
bpf_lxc-DUNKNOWN.o 35487 | 35541
bpf_netdev.o 10864 10864
bpf_overlay.o 6643 6643
bpf_lcx_jit.o 38437 38437
But it also makes malicious program to be rejected in 0.4 seconds vs 6.5
Hence apply this limit to unprivileged programs only.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'drivers/fpga/zynq-fpga.c')
0 files changed, 0 insertions, 0 deletions