Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2852927imm;
        Sun, 7 Oct 2018 13:27:51 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60m/RKLgEkzAqSIheseHRaRpX+TWYWSA+EErixciSHS+YdNXyXjePcwFkOg+dFDC2T5vUw+
X-Received: by 2002:a62:3942:: with SMTP id g63-v6mr22738409pfa.170.1538944071748;
        Sun, 07 Oct 2018 13:27:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538944071; cv=none;
        d=google.com; s=arc-20160816;
        b=p68STa259IqwMROulWwy7+8XWQOfueIHgk0VoBVjUv9i4ghZfKj8fCs1AicInHB8hJ
         AjaDFt0eBgmQN5jt8FLjfun6iFqeF4gXKoULCNeqWt1aJtm/fauPKD5AX7Oik/bgEtHK
         ADSeUjOQbas/lADhaCoicW31BYPYLwKMQQ7NUNoBYp/WQfozIy5q1Z/avShXPMedYI9+
         LjsD91GJuguSgVt7JMVfUmTVFNrOrvSu0TncKI+ZZ1VHnntpVBkFR/denlAqCaYOmz6m
         aLqFOVljQ2BVbqPl8DBbKtl2KSGv/mJgqMuOKnXaoyiPR1gPjGqGTw9GO6HTsQUzbmtu
         zciw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=GDHzrbWwf7H50BYiqvccLLc+rwpiyI9fiUsRn1ypPgY=;
        b=lMQ5Rm04IxFY0g0vmpfuxrsWhYn4lkpxtXWlZDkWeq4ZRqFqS4T96O5+DchhSiB7lE
         mQrS1lDrO3cZBpYEaIcYFOW1vLj7UmD4JudpiAKHoSUuc/cXHQm+ndGnchP932R53/E0
         TzrOYia/7hAJK6m/FFWU0r1sQBr8zEmb3Chs3DFORSUZf2R3UydzL8mWNF9r/u8a9mg8
         0GcdIY5wMahmXHvDzPMeOJRVryGw5R/4x5+pc6/SIvCqiuDtl5kprvuFW18EEv6dp56p
         IQxiXS+6fWq6grZZ80pYoVYEXerlMWg48StPg3t6lJLzralevqvdN7c58Yx2PH8OkROZ
         Na0Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@umn.edu header.s=google header.b=c7CuiUUD;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v124-v6si16387514pfv.1.2018.10.07.13.27.23;
        Sun, 07 Oct 2018 13:27:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@umn.edu header.s=google header.b=c7CuiUUD;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728207AbeJHDb5 (ORCPT <rfc822;tluu11sec@gmail.com> + 99 others);
        Sun, 7 Oct 2018 23:31:57 -0400
Received: from mta-p7.oit.umn.edu ([134.84.196.207]:57732 "EHLO
        mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726365AbeJHDb5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 7 Oct 2018 23:31:57 -0400
Received: from localhost (unknown [127.0.0.1])
        by mta-p7.oit.umn.edu (Postfix) with ESMTP id 8C5CD1D5
        for <linux-kernel@vger.kernel.org>; Sun,  7 Oct 2018 20:23:30 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1])
        by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id M46LQDsHOaF1 for <linux-kernel@vger.kernel.org>;
        Sun,  7 Oct 2018 15:23:30 -0500 (CDT)
Received: from mail-it1-f198.google.com (mail-it1-f198.google.com [209.85.166.198])
        (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 601B49FC
        for <linux-kernel@vger.kernel.org>; Sun,  7 Oct 2018 15:23:30 -0500 (CDT)
Received: by mail-it1-f198.google.com with SMTP id k69-v6so1349077ite.9
        for <linux-kernel@vger.kernel.org>; Sun, 07 Oct 2018 13:23:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=umn.edu; s=google;
        h=from:to:cc:subject:date:message-id;
        bh=GDHzrbWwf7H50BYiqvccLLc+rwpiyI9fiUsRn1ypPgY=;
        b=c7CuiUUD1utj2cLcXLY7DVlYIJ+7KcfFvUPUPFdut3Uh4kDV6xyhYUXn2WaBL+5v6K
         jvs7Mx3WeuAG2y/Qtr73JVJESl9vbWQ822JLhbisftKI2E1RcSiA3VDM+q0Pksk8SasS
         o7U2ddJwZbNKoRLYXu+INwuHinvDh0xouXwHuLPrPyQy0ExKbJWkCYNwgQxOkT40bSjj
         Ayklu4wFntdx8p+Px1B4y3hEV3M+5lqotD2KciEFLd/ReCwhO/nKjpyus1jaM2N15FlK
         CFos/Z5T1FgFbTcNmdcgaL2HDmOxh4sMDxcWaCHBVCuKNb0OQ7cRQTRwfFeXladXBJ1e
         4OeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=GDHzrbWwf7H50BYiqvccLLc+rwpiyI9fiUsRn1ypPgY=;
        b=qtEBsshp0lbJzDX7DJfBGMo0nKipNihNdusj6ZDANaqwhGD6+d+GN05QLuf1zzgpnc
         arJ7nktX7XlcBvqvZ5kVE7+ARB2JDkh7ooqCouk38rE5xExjMvx5FPAqAx4CPbPNcrot
         BsPQ0BqEkpOZn1ic+4f86Pg8Ql3h4yphN50Ywkn1sTUwGTSzA8gqgY3vedYaXzyCUR8t
         SJ5Ax4WffBwbjPRRjA8G1Jr4wiennR0feVlA5jLONS2iK7UPHG+HXf8UowIjHEhFRTeU
         c4h3uzAvgsaQMVNVjJO2GjJzY2DPa/9EJXcSkAwFdwB+7lUcotS7IDySeQVdp3kO0d8I
         SRZQ==
X-Gm-Message-State: ABuFfogjeD3ae8/S+6iaW0w12mquGaD3g/HIq/heP99t5s/JNbtSI55Z
        3Zr/lpTw7hLA7MBRMUhHc1nj/WUSqxcMNY8/aFeLHtjopTICA6YC/FY7Qm+gHU0G6xw0FUuTsPF
        nqH2zjGLUYJOtPT907tKjrFrcshkv
X-Received: by 2002:a24:25c1:: with SMTP id g184-v6mr14260637itg.120.1538943810068;
        Sun, 07 Oct 2018 13:23:30 -0700 (PDT)
X-Received: by 2002:a24:25c1:: with SMTP id g184-v6mr14260628itg.120.1538943809886;
        Sun, 07 Oct 2018 13:23:29 -0700 (PDT)
Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95])
        by smtp.gmail.com with ESMTPSA id w134-v6sm4023152itc.12.2018.10.07.13.23.28
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Sun, 07 Oct 2018 13:23:29 -0700 (PDT)
From:   Wenwen Wang <wang6495@umn.edu>
To:     Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>, Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        netdev@vger.kernel.org (open list:BPF (Safe dynamic programs and tools)),
        linux-kernel@vger.kernel.org (open list:BPF (Safe dynamic programs and
        tools))
Subject: [PATCH] bpf: btf: Fix a missing check bug
Date:   Sun,  7 Oct 2018 15:23:15 -0500
Message-Id: <1538943795-30895-1-git-send-email-wang6495@umn.edu>
X-Mailer: git-send-email 2.7.4
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In btf_parse_hdr(), the length of the btf data header is firstly copied
from the user space to 'hdr_len' and checked to see whether it is larger
than 'btf_data_size'. If yes, an error code EINVAL is returned. Otherwise,
the whole header is copied again from the user space to 'btf->hdr'.
However, after the second copy, there is no check between
'btf->hdr->hdr_len' and 'hdr_len' to confirm that the two copies get the
same value. Given that the btf data is in the user space, a malicious user
can race to change the data between the two copies. By doing so, the user
can provide malicious data to the kernel and cause undefined behavior.

This patch adds a necessary check after the second copy, to make sure
'btf->hdr->hdr_len' has the same value as 'hdr_len'. Otherwise, an error
code EINVAL will be returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
---
 kernel/bpf/btf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 2590700..7cce7db 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -2114,6 +2114,9 @@ static int btf_parse_hdr(struct btf_verifier_env *env, void __user *btf_data,
 
 	hdr = &btf->hdr;
 
+	if (hdr->hdr_len != hdr_len)
+		return -EINVAL;
+
 	btf_verifier_log_hdr(env, btf_data_size);
 
 	if (hdr->magic != BTF_MAGIC) {
-- 
2.7.4