From 761f1410d51aa921477925675bd13b6006b377ca Mon Sep 17 00:00:00 2001 From: Paul Chaignon Date: Sun, 19 Dec 2021 22:36:19 +0100 Subject: sys/linux: support BPF calls to kernel functions Commit [1] upstream introduced support for BPF calls to kernel functions, via a new call instruction BPF_PSEUDO_KFUNC_CALL. In this new instruction, the immediate value is the BTF ID of the function to call in the kernel. This commit introduces basic support for this new instruction in syzkaller. The immediate value will point to a BTF ID, but a fair amount of additional work would be required to ensure that BTF ID is actually pointing to a kernel function. 1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6ac2450d6dee Signed-off-by: Paul Chaignon --- sys/linux/bpf.txt | 9 +++++++++ sys/linux/bpf.txt.const | 1 + 2 files changed, 10 insertions(+) (limited to 'sys/linux') diff --git a/sys/linux/bpf.txt b/sys/linux/bpf.txt index fcf0a8f07..30fecac48 100644 --- a/sys/linux/bpf.txt +++ b/sys/linux/bpf.txt @@ -229,6 +229,7 @@ bpf_insn [ jmp bpf_insn_jmp call bpf_insn_call_helper func bpf_insn_call_func + kfunc bpf_insn_call_kfunc exit bpf_insn_exit initr0 bpf_insn_init_r0 map_fd bpf_insn_map_fd @@ -343,6 +344,14 @@ bpf_insn_call_func { func int32[-8:8] } +bpf_insn_call_kfunc { + code const[bpf_call_code, int8] + dst const[0, int8:4] + src const[BPF_PSEUDO_KFUNC_CALL, int8:4] + off const[0, int16] + kfunc btf_type_id +} + define bpf_call_code BPF_JMP | BPF_CALL bpf_insn_exit { diff --git a/sys/linux/bpf.txt.const b/sys/linux/bpf.txt.const index 5f8cf4c07..4a4462f3b 100644 --- a/sys/linux/bpf.txt.const +++ b/sys/linux/bpf.txt.const @@ -193,6 +193,7 @@ BPF_PROG_TYPE_XDP = 6 BPF_PSEUDO_BTF_ID = 3 BPF_PSEUDO_CALL = 1 BPF_PSEUDO_FUNC = 4 +BPF_PSEUDO_KFUNC_CALL = 2 BPF_PSEUDO_MAP_FD = 1 BPF_PSEUDO_MAP_IDX = 5 BPF_PSEUDO_MAP_IDX_VALUE = 6 -- cgit mrf-deployment