The purpose of this eBPF helper function is to read user memory, as used by security or monitoring eBPF programs. There is therefore no requirement to check user capabilities or uaccess here. Loading of eBPF applications using this helper type is already strictly limited to privileged/root users.
Additionally, this helper is called from an eBPF program, which does not support capabilities. It is therefore unable to pass in a capability as a __user ptr in the first place, so what is actually passed in is an address.
In order to access user memory with just an address, use make_user_ptr_for_read_uaccess() to generate a capability of appropriate bounds for the kernel to use.
Signed-off-by: Zachary Leaf zachary.leaf@arm.com --- kernel/bpf/helpers.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index b4f3c2079484..780eedc3f430 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -647,8 +647,10 @@ const struct bpf_func_proto bpf_event_output_data_proto = { };
BPF_CALL_3(bpf_copy_from_user, void *, dst, u32, size, - const void __user *, user_ptr) + const ptraddr_t, addr) { + const void __user *user_ptr = + make_user_ptr_for_read_uaccess(addr, size); int ret = copy_from_user(dst, user_ptr, size);
if (unlikely(ret)) {