Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4062614imm; Mon, 8 Oct 2018 14:19:45 -0700 (PDT) X-Google-Smtp-Source: ACcGV60ZG3RZgVNYAmPZ9oi284xneLsnV1NLf8P/DXT6Z8AQUtBvndZQtWAdcvZxxsgZfIs0X8gN X-Received: by 2002:a63:2703:: with SMTP id n3-v6mr23190109pgn.113.1539033584989; Mon, 08 Oct 2018 14:19:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539033584; cv=none; d=google.com; s=arc-20160816; b=wo1DUC8/hIdZJ4oKGsRP6W2w6qOu4IljZLGM+v2yhXvfJByUTx/TxVAxK4wzIN0BMH tTXwSRYgxMmFXUdkCcdw2qp1q4NPs56CQZETrK5TE4lh+BM4rnLba3Mg0Y4yhzRi7MZz yNf0xQu7jNK7ozwjLDi4Y58xV8kSB0F4X+V885+/W14ivQG6XtUiRosW+ZQlpDeoeSW2 QjsEx5Xq9wAoZZacq/XSz5AcpA/3q64RyKGkcKvcdquXQlzQbxx3v3fX+VK3n58vJKfp K4mU/AUm+7If4fkrvvtfYMQGXIYfbC9rw8z9DttOtnSmdN7/73t+shc3+GUZ5dMghsdf RlKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-transfer-encoding :mime-version:references:in-reply-to:subject:cc:to:from; bh=8QU2EILo8GuvQMIgvFTpu0YfleCpISuNvAYLcJ+MBYk=; b=W6jhcKLm0Wl8md6KCNHCzCvNSudJWvydJea/OCh9bt5+/OPmnuHgnMqWwRsWdK8PHI jx0otsD0ZLhT4RYxEApPwlJzsN0d0/W8s6MqWvy9hexBnbuqjkCap/DbS17T21B27ltc ukdCtkLRiJanBLqbFd/wAP8lxR3fPG2e8EoLK3o9/btEtYbSf4Ve3ftgMFA58xFGSzD0 CGnzkEoaPJ8xYCgnTRQS9X7IPeyHxHClOF+Ns8gPF0kYwR2wDGRnItFqNeisznE/elNn bPJjajT/n+xZmA+2P6BYbNjkqo/iAhdNVbj9yt8KzCNdBd16TB/vg7WrStqApRaUeNEN DbmQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=vt.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x33-v6si18096613plb.391.2018.10.08.14.19.29; Mon, 08 Oct 2018 14:19:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=vt.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726903AbeJIEa7 (ORCPT + 99 others); Tue, 9 Oct 2018 00:30:59 -0400 Received: from outbound.smtp.vt.edu ([198.82.183.121]:59826 "EHLO omr1.cc.vt.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726103AbeJIEa6 (ORCPT ); Tue, 9 Oct 2018 00:30:58 -0400 Received: from mr1.cc.vt.edu (mail.ipv6.vt.edu [IPv6:2607:b400:92:9:0:9d:8fcb:4116]) by omr1.cc.vt.edu (8.14.4/8.14.4) with ESMTP id w98LHGj5004321 for ; Mon, 8 Oct 2018 17:17:16 -0400 Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) by mr1.cc.vt.edu (8.14.7/8.14.7) with ESMTP id w98LHBas017803 for ; Mon, 8 Oct 2018 17:17:16 -0400 Received: by mail-qk1-f199.google.com with SMTP id a130-v6so22240410qkb.7 for ; Mon, 08 Oct 2018 14:17:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:in-reply-to:references :mime-version:content-transfer-encoding:date:message-id; bh=8QU2EILo8GuvQMIgvFTpu0YfleCpISuNvAYLcJ+MBYk=; b=K5QCYyHAI7VUPf8yEcEtgQkdQrG0tT8UhhUB9cGbNB/84+vO9JCAx2U/M4RL4/rW9J 1lDA9rFehHGthaKfdvu9FjY0EcNOc8Jg1YEeKLPhuNasFOznrEb6/HqaQUhyGX7AbeW2 cniduhvnZp9n42xoNfzemLEPKeQueu8y3TzQeF1r7QGaJyVutd8PFMnaIti25zB/I8wI +favGYG+rIL0azUBf+4hAhDu+MF1Xc8BeNBvDzGmL7UMq4mixXasL6bkwpcTyrp6aQiw 0EeSGdxvFhCE1Mb3dNo9XsYXeXY1fzeQa8JgQemDegVGbT4xxd8glpcQmJ9/0a3yk17I lSsw== X-Gm-Message-State: ABuFfohJgHvdtUWZpCfFE5fH3HQ9vkTuN4hf1/t6cuy1keWBtXAMvE7h et0PiycxnqvXwpU26r+icLawUoryn9i/lklKWxNf7EwlkrOBb2EGaJVxvIv+z0TdNMwJZR+Pph/ Raov8ilZIzDrLSlydWCzeCe/Dk+R0R92nbqA= X-Received: by 2002:a37:a141:: with SMTP id k62-v6mr19799006qke.276.1539033431576; Mon, 08 Oct 2018 14:17:11 -0700 (PDT) X-Received: by 2002:a37:a141:: with SMTP id k62-v6mr19798981qke.276.1539033431146; Mon, 08 Oct 2018 14:17:11 -0700 (PDT) Received: from turing-police.cc.vt.edu (turing-police.cc.ipv6.vt.edu. [2001:468:c80:2103:f21f:afff:fe0c:8ada]) by smtp.gmail.com with ESMTPSA id t12-v6sm9101328qtc.67.2018.10.08.14.17.09 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 08 Oct 2018 14:17:09 -0700 (PDT) From: valdis.kletnieks@vt.edu X-Google-Original-From: Valdis.Kletnieks@vt.edu X-Mailer: exmh version 2.8.0 04/21/2017 with nmh-1.7+dev To: Song Liu Cc: wang6495@umn.edu, kjlu@umn.edu, Alexei Starovoitov , Daniel Borkmann , Networking , open list Subject: Re: [PATCH] bpf: btf: Fix a missing check bug In-Reply-To: References: <1538943795-30895-1-git-send-email-wang6495@umn.edu> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1539033428_2640P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Mon, 08 Oct 2018 17:17:08 -0400 Message-ID: <43898.1539033428@turing-police.cc.vt.edu> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --==_Exmh_1539033428_2640P Content-Type: text/plain; charset=us-ascii On Mon, 08 Oct 2018 13:51:09 -0700, Song Liu said: > On Sun, Oct 7, 2018 at 1:26 PM Wenwen Wang wrote: > > same value. Given that the btf data is in the user space, a malicious user > > can race to change the data between the two copies. By doing so, the user > > can provide malicious data to the kernel and cause undefined behavior. > These two numbers are copied from same memory location, right? So I > think this check is not necessary? Security researchers call this a TOCTOU bug - Time of Check - Time of Use. What can happen: 1) We fetch the value (say we get 90) from userspace and stash it in hdr_len. 2) We do some other stuff like check the hdr_len isn't too big, etc.. meanwhile, on another CPU running another thread of the process... 3) malicious code stuffs a 117 into that field 4) We fetch the entire header, incliding a now-changed hdr_len (now 117) and stick it in btf->hdr->hdr_len. 5) Any code that assumes that hdr_len and btf->hdr->hdr_len are the same value explodes in interesting ways. --==_Exmh_1539033428_2640P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Comment: Exmh version 2.8.0 04/21/2017 iQEVAwUBW7vJVI0DS38y7CIcAQL5pwf8Co9z9WwdEhwn1zFByzTwSeNE/fwictdL EwWkOJb6Q5B8O2QDZrcx2ZSXWEyqDQ8h5gLcyf1q8fenNIfAPM7SkBOUBQEjQMdU zTwALpsm6IkcoasNe7LpVkVUc2dM4xclyayJOlcahNfDzYiWt1vXsPFN0aGy/Rx0 UQNc09M+6ClxQOcKuQ2leAsvKPghrkfuLOqCBVCaCbCPqrZxI1FDkBg4y3DqOziB GPBNk0stfa6R5EeWPDsaWXmaCr36e0IWj9mcObUtWtzS+BwR2komgSPJAnoczBaX 0uWV5G/5GfI+tOlk4AcYD7rirsWCFGmDMM/qVLB2NdKbulpabX3XSw== =m8eg -----END PGP SIGNATURE----- --==_Exmh_1539033428_2640P--