bpf: check pending signals while verifying programs

Malicious user space may try to force the verifier to use as much cpu time and memory as possible. Hence check for pending signals while verifying the program. Note that suspend of sys_bpf(PROG_LOAD) syscall will lead to EAGAIN, since the kernel has to release the resources used for program verification. Reported-by: Anatoly Trosinenko <[email protected]> Signed-off-by: Alexei Starovoitov <[email protected]> Acked-by: Daniel Borkmann <[email protected]> Acked-by: Edward Cree <[email protected]> Signed-off-by: Daniel Borkmann <[email protected]>
author: Alexei Starovoitov <[email protected]> 2018-12-03 22:46:04 -0800
committer: Daniel Borkmann <[email protected]> 2018-12-04 17:22:02 +0100
commit: c3494801cd1785e2c25f1a5735fa19ddcf9665da (patch)
tree: f3bedbb2deb12948d7765aaac8f4a2e8000fdd73
parent: 025dceb0fab31c912c41b8f32577432231d83e6b (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 6dd419550aba..751bb30b7c5c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5148,6 +5148,9 @@ static int do_check(struct bpf_verifier_env *env)
 			goto process_bpf_exit;
 		}
 
+		if (signal_pending(current))
+			return -EAGAIN;
+
 		if (need_resched())
 			cond_resched();
author	Alexei Starovoitov <[email protected]>	2018-12-03 22:46:04 -0800
committer	Daniel Borkmann <[email protected]>	2018-12-04 17:22:02 +0100
commit	c3494801cd1785e2c25f1a5735fa19ddcf9665da (patch)
tree	f3bedbb2deb12948d7765aaac8f4a2e8000fdd73
parent	025dceb0fab31c912c41b8f32577432231d83e6b (diff)