Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4226500imm; Mon, 8 Oct 2018 17:45:39 -0700 (PDT) X-Google-Smtp-Source: ACcGV60Hdxbi/SruVXAE7iNk3/ZF0wPPcK4SWgutMc6Lf8ejkQZw4Q1dyLkU27yivh3p+Mf4gbJI X-Received: by 2002:a17:902:830b:: with SMTP id bd11-v6mr25593538plb.249.1539045939650; Mon, 08 Oct 2018 17:45:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539045939; cv=none; d=google.com; s=arc-20160816; b=UOB4CnKcfwnSx06sWqoz69i5Smv6IJuOWc9g2afhx/0VvuFHz8wW5XJUNd8N5YjAi9 RJNkeU1HjfsEBvybi723guuMP1S7p+Z2gMe5QRaoArBojnHhB7ak7DU7BRkl4wFcNol5 +73xgekFrRKZxtq5rFxKD5ELjaVzVPZJVzVBBIjLtpdmceMjFBEXnjogL0HTRO+UDzkC HSbGDDhNl5FFXSxQbrU1jsu+fcQqqCnBPHUXSRDiiIcrNtuFYwduZZeZzf/ASxdRs75H m7rsjc0uZjZ7L0sCsI2qhYk6QMXrCpjbjrQfsXlo2RkjZJ7sYmkFAvFrpmQLuAb1Q/lj K0nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=ICfAujeX9Ki4u3dqmrqRil9WVpptlgrIhpg5HD58dcc=; b=wK0T26mBnqxPpinZd9gwS+7mqTjBb68PxEmWuppbADKWjYRgvgzEvvW2W6Sa9IDhZj Fa+LQsAnoygi7K1+bz9T/2zMHkPvUBGf+1hHoRtiMY28PGxE102xZVzXEyQHx2eMJm2w vshxMJu0jwz2SYwLN+Z6Jnm345i1U1quuLBlkiwrowy29LOBk/ZjLkga+jD1hurZGtB2 BNjsoI54xuQwmlVA5a+2KoiJ7+UVyLv8QIRwNnNb6YL48s432vSJkzVD8qgwCgAUAOuO 97d3EZqqHeyqQHxhI6MgmgaiZKX0Wx0SL4fxWTG2V2//5JkEdcs/BVBB5vztmrTJyU3Z k60g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ge6D+aV6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ce19-v6si9315597plb.162.2018.10.08.17.45.25; Mon, 08 Oct 2018 17:45:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ge6D+aV6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726607AbeJIH7T (ORCPT + 99 others); Tue, 9 Oct 2018 03:59:19 -0400 Received: from mail-qt1-f193.google.com ([209.85.160.193]:34879 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725823AbeJIH7T (ORCPT ); Tue, 9 Oct 2018 03:59:19 -0400 Received: by mail-qt1-f193.google.com with SMTP id v19-v6so23009046qtg.2; Mon, 08 Oct 2018 17:44:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ICfAujeX9Ki4u3dqmrqRil9WVpptlgrIhpg5HD58dcc=; b=ge6D+aV6FD0IRq61BXIOveVctaCJ1U8LL86VqQEAhEgXCTGxdJ68ElIxV6gKQrJogV FhyRawkhB+xDGpyzfewuR82lTVvRdpczvDiBNTLeClWmAP38VExybwgDvlgSWVNNLoFf MEbc3rwvrK0E0SaMnYEDX/vTk5g/+ETrvGANzOkgWb+gB6lQKguYgzmB5iXmf1aVwVzV JM10UXmvdFAqXsePTbN41e8DAoCSFFQnc6+jU7B4KzG7ZBlKHYSYQ1A0/Ngrso3XNzZp gHN6GL+/Xrx0MSiwQ40OrKS7oZdL4gp2jqQYhvZeu5kBsXo1g5vPhAQoBH3L/tu/iGAV ywcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ICfAujeX9Ki4u3dqmrqRil9WVpptlgrIhpg5HD58dcc=; b=aIQk2XLxWeAlK7B7/05WqMhhy2fQkBExeLqI9mtgx701wQF2SQ5z5H1Zu/Po+3M4cG o0AliZVtj3yEgDuHgN7A6P0HRoKP/+lwcrHuH+I+4wKCf+jB11hoX87ISJqEIivMUq+F IHq7PgAOlqiGzp1Z9mgRy9PCGZIJU0uxTF+u7yk9q9SxiYau8NhPCk0wOTLXLsz4N/Yl 1nObxfEZeUsxqYBRP6TOMvG3ji57Iq33aq26vPxhL7DDgzkDR2xdoczT8W/RW0HzyYN+ z99HkokPGFVcoiA4Z/c8tUUGTCVhXP3rH78TFGJePoA5mCOToeJXLep5jU+O+dKYLOK0 gsKw== X-Gm-Message-State: ABuFfojoOW+sgH5E4bJXboSZXsjxqMFQaemtqYKt+Z1kIyu8xNAUYp+5 WyWhPdKPlW5U/D+LKjCYR3+9EbpDpSTJyxrxWIw= X-Received: by 2002:ac8:1793:: with SMTP id o19-v6mr21303598qtj.98.1539045898549; Mon, 08 Oct 2018 17:44:58 -0700 (PDT) MIME-Version: 1.0 References: <1538943795-30895-1-git-send-email-wang6495@umn.edu> <43898.1539033428@turing-police.cc.vt.edu> In-Reply-To: <43898.1539033428@turing-police.cc.vt.edu> From: Song Liu Date: Mon, 8 Oct 2018 17:44:46 -0700 Message-ID: Subject: Re: [PATCH] bpf: btf: Fix a missing check bug To: valdis.kletnieks@vt.edu Cc: wang6495@umn.edu, kjlu@umn.edu, Alexei Starovoitov , Daniel Borkmann , Networking , open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 8, 2018 at 2:17 PM wrote: > > On Mon, 08 Oct 2018 13:51:09 -0700, Song Liu said: > > On Sun, Oct 7, 2018 at 1:26 PM Wenwen Wang wrote: > > > > same value. Given that the btf data is in the user space, a malicious user > > > can race to change the data between the two copies. By doing so, the user > > > can provide malicious data to the kernel and cause undefined behavior. > > > These two numbers are copied from same memory location, right? So I > > think this check is not necessary? > > Security researchers call this a TOCTOU bug - Time of Check - Time of Use. > > What can happen: > > 1) We fetch the value (say we get 90) from userspace and stash it in hdr_len. > > 2) We do some other stuff like check the hdr_len isn't too big, etc.. > > meanwhile, on another CPU running another thread of the process... > 3) malicious code stuffs a 117 into that field > > 4) We fetch the entire header, incliding a now-changed hdr_len (now 117) and > stick it in btf->hdr->hdr_len. > > 5) Any code that assumes that hdr_len and btf->hdr->hdr_len are the same value > explodes in interesting ways. I think I get the security concept here. However, hdr_len here is only used to copy the whole header into kernel space, and it is not used in other logic at all. I cannot image any security flaw with either hdr_len > btf->hdr->hdr_len case or hdr_len < btf->hdr->hdr_len. Could you please provide more insights on what would break by malicious user space? Thanks, Song