From nobody Mon Dec 1 22:05:46 2025 Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B931E30BBB6 for ; Mon, 1 Dec 2025 12:24:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.188.122 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764591868; cv=none; b=DMDGwtOC5v3107JMAhC4I+xlDTP9APT5yaw/rA++p4iqaWk/XK9fCL4b04IfLIH636giK47orhsTWiYJVQKpPkXhVCaPtZFMapMyjNOZImCUN0ruKdlQjxZPTW2aBfs3NBTbt1fAH1jg7z09FVE6dOwL5NlErmn34eP36You0Rw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764591868; c=relaxed/simple; bh=ROqAT17lsLKq+OAD8klz4rtDlUC6I1DaK48+5JEk5XI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=CbGy9MmX79oSOk/4zzKJMm7rxAXNIUiLvHjH6inho6gtcDKVRkw7Nau7XeLoTpK9BMMSWlzQYsk4hshuOpYQjS8M5sIMzovkK1UZilKTiOkzEBjdARONkMvdYKQtRiLfpfKDq4BqvpzQjRTug8NK8ZZajscUfh3r8TlBR+rKwrU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=canonical.com; spf=pass smtp.mailfrom=canonical.com; dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com header.b=Yr+kGOje; arc=none smtp.client-ip=185.125.188.122 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=canonical.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=canonical.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com header.b="Yr+kGOje" Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 4E0543F1F4 for ; Mon, 1 Dec 2025 12:24:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20251003; t=1764591863; bh=uDGFNs0dlemtVhhnPYk5y/JrXd8r2GFrUs0Gv8oHyF8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Yr+kGOjelw+t6zr4Cxa0zFmMD40IwQD0mhOfpqcsqsH+3JhykyDVPrWendBVvkEcJ 1TKevjJnJZwnLQiM6gNqwH2nLVjb+ZARKbHcKQh+alEJsY3pwLMwaKcU3mZT4USx7o +mnQKT1z507z+ohosPd4mwPbyeinFYkZeuHgk3giHbOe2hf/d36HXLGDj1b4QvTMrx sZhGfjGQcywGelQlsVuapOjqaw/RXICkIQpX6RvYHGf1aaHpZ6HvLvt4DSV2klbvUE Tt+hJc9oZIW+EfmgmVEebNSGuFtbeCvDy9lXfIkLkTPqEf/pyrRVuGUQMhhvF2YVUw PR02D7bEIe3Vgbo+9R6/0koQgxlH/s7489jgoqlGfJNe+txpfSFxMBKA7DABMYz87z BCWldMZND1VZ5GUHEQn/G0Cx1BPKrf7EHH5torivLSIRi1vcQOsljTSl7F1KIGz9Xb pEYREsmg+9dLh7puMbUfcwnucKBRlztGdY7ELUs+N/llrwBwNKaFyjbgUQKXP1WXJv tkoNk3udgx9az9GvkAA5LUji271yALuy0wFsfZb7u82+KkVXaMI76wqcAd+D55hyzO HZIt5gbSqHRDR3DgvJ1ngQqR82LwEYxpQPZPguVaA/DrT439KlEwOcgh56u5636E9g Kggj7v94UTCueFDAwFL1dLM8= Received: by mail-ed1-f72.google.com with SMTP id 4fb4d7f45d1cf-6417677bf55so8785892a12.1 for ; Mon, 01 Dec 2025 04:24:23 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764591861; x=1765196661; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=uDGFNs0dlemtVhhnPYk5y/JrXd8r2GFrUs0Gv8oHyF8=; b=QUJOCxDg6P2Wa1uWJOdZKOZfBSy32JCVURjD/KJfSCiyNZ3EthTB/yLt+qSrgH5HhR Ri/D27lq6/612WmQM5QS8UxHljMJ55+1z63ZVM38qJ0sFa+qvNRdN4V2iR31vmufXJ6d 7UGff7Dyi5W5k05YCPviS8TRebF4iWtfytHYcrxyJXTlYf64lhr+Oh+apvPQZWz3ujiP NCgvzCwLEiPBhXzOfySRrhJ8sYNoMy/l41/RSXgnqxbVyiMn3jaWTJnE7oAeo2sREft3 nks9emueUP1GxXW+cMtB47phcB7+/yge+D+7mPqInCUtDkDT1xcyBKij6UNsK+D22xbD i+4A== X-Gm-Message-State: AOJu0Yx/Emi9p4jkrdAEbo+cTG3Fze2a5k/aOuDKEFjxZ7VDlRbHn/oI gLj8iPO+FA5w+EePhP+wZ1TolIEnkmFtf58Z70uZ70+8xLn5hTS4R+HMxYp4YZyPsYfgFyIk48l FlKyjoRVQKBTyea0bR6lnCkGdxZ4BVTK8KR9TspNkX5JJfmbcX5fQGGxTmHcVtfE21n4F1BIecB jFhMgPbMOezhuqMw== X-Gm-Gg: ASbGncu7p/YlJw8YfqPVpCvxsLIOFbegGeqrVRPdh5nnuR9a7NQcSJ2oa+KXRQAIhtf e4O14eYqKlGoaPc3v1k9vUkvIiRUjSybLeIuP5TAwUqN98kPq7itzBIQYTnGs0NWMuaVgDDdGkW jZyzuV7L8YI4XRDADNz/t/Skm2PEVVKWADsXoENSMj2gz6D8C+YN2/AiVCurdqZO/0NPviJRxQN QCA45myaxuELTW+mtrnlUgtc6zEgmoJ9cOz6eIQmefXF9vJ+8H+W2Ts+V68XdBoqUYQtATaSYYT UV/wCidsff2g3MOFmUgyZNps25MHL4ABYjUiR0WYKxz11KXcSX3Cd9QzoVQOW63gVw5pzVyAtMo iqiaoOEfn4tyjaT0L5Q+LP+LKNwQn+AVFkw8/QfuFbTXa4w2oMwTdcOUvse/ki9hPt/+4wlenRk kQbHw26r5qnFdJdmt6D5NrJmxQ X-Received: by 2002:aa7:c6d7:0:b0:644:fc07:2d08 with SMTP id 4fb4d7f45d1cf-6453962437fmr30760786a12.2.1764591861615; Mon, 01 Dec 2025 04:24:21 -0800 (PST) X-Google-Smtp-Source: AGHT+IGjhzLfnzC1QhpwNYy2/mmU1w8pIZLfn1RzCuX2/F7919eyjEsj04ZLXWi2Vg7y70ykH7tP6A== X-Received: by 2002:aa7:c6d7:0:b0:644:fc07:2d08 with SMTP id 4fb4d7f45d1cf-6453962437fmr30760747a12.2.1764591861218; Mon, 01 Dec 2025 04:24:21 -0800 (PST) Received: from amikhalitsyn.lan (p200300cf5749de007c66abd95f8bdeba.dip0.t-ipconnect.de. [2003:cf:5749:de00:7c66:abd9:5f8b:deba]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-64750a6ea36sm12307884a12.2.2025.12.01.04.24.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Dec 2025 04:24:20 -0800 (PST) From: Alexander Mikhalitsyn To: kees@kernel.org Cc: linux-kernel@vger.kernel.org, bpf@vger.kernel.org, Andy Lutomirski , Will Drewry , Jonathan Corbet , Shuah Khan , Tycho Andersen , Andrei Vagin , Christian Brauner , =?UTF-8?q?St=C3=A9phane=20Graber?= , Alexander Mikhalitsyn Subject: [PATCH v1 3/6] seccomp: limit number of listeners in seccomp tree Date: Mon, 1 Dec 2025 13:24:00 +0100 Message-ID: <20251201122406.105045-4-aleksandr.mikhalitsyn@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com> References: <20251201122406.105045-1-aleksandr.mikhalitsyn@canonical.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable We need to limit number of listeners in seccomp tree to MAX_LISTENERS_PER_PATH, because we don't want to use dynamic memory allocations in a very hot __seccomp_filter() function and we use preallocated static array on the stack. Also, let's return ELOOP to userspace if it attempts to install more than MAX_LISTENERS_PER_PATH listeners, instead of ENOMEM as we do when userspace hits the limit of cBPF instructions. This will make uAPI a bit more convenient. Notice, that has_duplicate_listener() check is still in place, so this change is a preparational. Cc: linux-kernel@vger.kernel.org Cc: bpf@vger.kernel.org Cc: Kees Cook Cc: Andy Lutomirski Cc: Will Drewry Cc: Jonathan Corbet Cc: Shuah Khan Cc: Tycho Andersen Cc: Andrei Vagin Cc: Christian Brauner Cc: St=C3=A9phane Graber Signed-off-by: Alexander Mikhalitsyn --- kernel/seccomp.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index c9a1062a53bd..ded3f6a6430b 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -931,17 +931,25 @@ static long seccomp_attach_filter(unsigned int flags, struct seccomp_filter *filter) { unsigned long total_insns; + unsigned char total_listeners; struct seccomp_filter *walker; =20 assert_spin_locked(¤t->sighand->siglock); =20 - /* Validate resulting filter length. */ + /* Validate resulting filter length and number of nested listeners. */ total_insns =3D filter->prog->len; - for (walker =3D current->seccomp.filter; walker; walker =3D walker->prev) + total_listeners =3D filter->notif ? 1 : 0; + for (walker =3D current->seccomp.filter; walker; walker =3D walker->prev)= { total_insns +=3D walker->prog->len + 4; /* 4 instr penalty */ + total_listeners +=3D walker->notif ? 1 : 0; + } + if (total_insns > MAX_INSNS_PER_PATH) return -ENOMEM; =20 + if (total_listeners > MAX_LISTENERS_PER_PATH) + return -ELOOP; + /* If thread sync has been requested, check that it is possible. */ if (flags & SECCOMP_FILTER_FLAG_TSYNC) { int ret; --=20 2.43.0