Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4039973imm; Mon, 8 Oct 2018 13:53:14 -0700 (PDT) X-Google-Smtp-Source: ACcGV63wcDfjJ3c9+C1HMnEQRK2xvcrFutnqnXKnxKcKn3QEYtICEgeJG+BdHopTZBVgUSmXrtNM X-Received: by 2002:a17:902:7e49:: with SMTP id a9-v6mr25244902pln.149.1539031994616; Mon, 08 Oct 2018 13:53:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539031994; cv=none; d=google.com; s=arc-20160816; b=D9Rd4uzTl0aHmmQd6SpwwjL0J/QH5tw6tDsdE+EFHoRXEkxNtneFWF7SPqHK/ysQAW Dr44AjJgOIEYf2OOtKYTTyAvfaUS8XuHMIoVs9PIwue4xql6s08xGCFUEx8vcIznKQ+3 VY1NzWyq6J9JF+wNgzHpVyNhLZj78CDeEfY4DgTsN+oOVmdopoZP7bIeEQan0V+LKQB3 vnLvU6xzJx1pnunKLMycJZrHCNtTwTpvDKiiIbdqeuT4fIIRu+EQolveZOGEE2qDdD4R 8V2W3Z9/7PD6cfOMncmUMUEDT020v8IdtuCRpngP5NXfSLcGBp0orTvXs8BNTJcfM8RD IBbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=mvk/VeOEPDJeU1dLxiW4QkOmS/rPiXU2ENPpO20DZm0=; b=utVi1/K+bUSYIylPev3CsZ1q0dvPhtRFhWlb/9ixU7sKUNu2fBCPA1bW/HdL8Ghh/T +ayUhIT8j1iAKCoken7Bk+OkkPIDp6rJRZAFcrhgKV41hNlqcgtJAR827YSrBOrBUXYZ OriDrop4RQjg+0KI0SjN7zS6rWrIoDutYVBWAFTQgEzZ9H3jg7QEmfKG0Szladkq4Tyt +tZaAbUnn1yyDJlN1MTjWUBMGKuGoPucON/v147iNK5Wh1J5PWw6OpZOKSeR6dS9Gp4s XwOktKp8By1pUY0zrPP0Spemq2+qMdw6dXnMjj5qzPh/jEjYxq4VffnfKy9HFUYYNO6K CFzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=o3QnLhh5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x8-v6si18721345pgh.454.2018.10.08.13.52.59; Mon, 08 Oct 2018 13:53:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=o3QnLhh5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726393AbeJIEE5 (ORCPT + 99 others); Tue, 9 Oct 2018 00:04:57 -0400 Received: from mail-qk1-f196.google.com ([209.85.222.196]:37677 "EHLO mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725749AbeJIEE5 (ORCPT ); Tue, 9 Oct 2018 00:04:57 -0400 Received: by mail-qk1-f196.google.com with SMTP id x8-v6so12929358qka.4; Mon, 08 Oct 2018 13:51:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mvk/VeOEPDJeU1dLxiW4QkOmS/rPiXU2ENPpO20DZm0=; b=o3QnLhh5DPrctUYRB9hbzpNXLdq942kO+9C+5TscRdeWdKmvH45+vTj3hh6o6Sphzb lT2myEP3YYjtntqBjwa+oRUkzojI/d8MRnzjcNSYLVh7av9smpFOS3z2cKkEsedneZwB ziX0J1BGuGJ2kyfov0xNXRGFMU/bMhc3yauoCf9Bfjr6FGn2MJ/YVpep5uHeA79vd6En ZNr2VUdgOnzqVqGTSz+062pIM7AWJhNCg6qBUP5V4aY2YT104bMeTBfTDlp5IY0Cjbqi JiTGK21P7thbDNyyQaAEMBobVfF+mXMlT1Eo+tUUwS/JzHvHbqgJ4qVcmaf80i3/zYFU 4yJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mvk/VeOEPDJeU1dLxiW4QkOmS/rPiXU2ENPpO20DZm0=; b=tvac7kSbxNNnbhy/NHr1kJ32N3DKICxFtsr9pPuUdz+N8z72fLHnShSl8Lmi8VZCIS HX5Ml3E8DNwQbzysQSwk4hhRmGnzQACX9zWTZ7/x9A4nf77fWqNMlx7ixZcCB9o/LFbp PiXLGSnfkAhSaaqOTZE3dt0S2t2Xla3N4yijNj5hRDKDwGhCevoKCCcYIcF4EX7JCisR PNAxRt8BEJ6p2p9bwlMGKgwRDuYRTOI0IsO8UmlhOVtQevbl6Xd5qfH1OUuSClBX8QaU c/uLj7yhhHmg1150I4KBJq1oCM99xAvZ7jlZ8doY3/5YHUaEMNnbRZrGc7q+hBVz6s5O kqjA== X-Gm-Message-State: ABuFfoiNv00+lipRvWKgAhRHlN3PTNte6Hq0T4Iny0z1O/pOd98Du5VC ihQW1IWUJZqVQ/u3GzkSdFUGIUfwU9vtFUqMJqQ= X-Received: by 2002:a37:cf88:: with SMTP id v8-v6mr18652351qkl.355.1539031880771; Mon, 08 Oct 2018 13:51:20 -0700 (PDT) MIME-Version: 1.0 References: <1538943795-30895-1-git-send-email-wang6495@umn.edu> In-Reply-To: <1538943795-30895-1-git-send-email-wang6495@umn.edu> From: Song Liu Date: Mon, 8 Oct 2018 13:51:09 -0700 Message-ID: Subject: Re: [PATCH] bpf: btf: Fix a missing check bug To: wang6495@umn.edu Cc: kjlu@umn.edu, Alexei Starovoitov , Daniel Borkmann , Networking , open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Oct 7, 2018 at 1:26 PM Wenwen Wang wrote: > > In btf_parse_hdr(), the length of the btf data header is firstly copied > from the user space to 'hdr_len' and checked to see whether it is larger > than 'btf_data_size'. If yes, an error code EINVAL is returned. Otherwise, > the whole header is copied again from the user space to 'btf->hdr'. > However, after the second copy, there is no check between > 'btf->hdr->hdr_len' and 'hdr_len' to confirm that the two copies get the > same value. Given that the btf data is in the user space, a malicious user > can race to change the data between the two copies. By doing so, the user > can provide malicious data to the kernel and cause undefined behavior. > > This patch adds a necessary check after the second copy, to make sure > 'btf->hdr->hdr_len' has the same value as 'hdr_len'. Otherwise, an error > code EINVAL will be returned. These two numbers are copied from same memory location, right? So I think this check is not necessary? Thank, Song > > Signed-off-by: Wenwen Wang > --- > kernel/bpf/btf.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c > index 2590700..7cce7db 100644 > --- a/kernel/bpf/btf.c > +++ b/kernel/bpf/btf.c > @@ -2114,6 +2114,9 @@ static int btf_parse_hdr(struct btf_verifier_env *env, void __user *btf_data, > > hdr = &btf->hdr; > > + if (hdr->hdr_len != hdr_len) > + return -EINVAL; > + > btf_verifier_log_hdr(env, btf_data_size); > > if (hdr->magic != BTF_MAGIC) { > -- > 2.7.4 >