Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4492003imm; Mon, 8 Oct 2018 23:56:09 -0700 (PDT) X-Google-Smtp-Source: ACcGV61jhpwEqYprLm2PHWyuyCtmvdgcvaJm98B4Ulg0Lu32wo8Jx93MvqMlEuc62BjYLMlE11JO X-Received: by 2002:a17:902:2907:: with SMTP id g7-v6mr22973329plb.201.1539068169118; Mon, 08 Oct 2018 23:56:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539068169; cv=none; d=google.com; s=arc-20160816; b=IBCETUMBWLwsu5Ly1FiO8Blb6xtMfS2wG7wRYAGrRCnCXnK7PC8xRT2fU5NxPa8U0o SS8HYMZQESuJcm9Qj7GuUET2ag7bKjpSx9/CHYAwQf4kbHX8sarCHRTQ0jUoxvU997vO g1T5Wid0Y9P7EhPZT5Fu2R3CMvG4veBav6ZXrMGp9q4k0Oy0x6G3gc0eXB/OKcW6LxMs sgcjOiC4ZFEPwMYnyf1wWM9tHgtvs1Yq5OXVjuHD0Dczr48CH+HGFxp/XliQQpZVy8NT k6VNOYv9qTN1JsEpA+LvFQt77PtxRvNBWptd+HvEvkK67x+URP6FnNvT1ifqpRL0Lrn3 YvLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=BS5tt/THeJBcPFOUVqP4NbqMJDRqihQtiGSeYhs7ywA=; b=FycrWaJgDmfFGVhhuskR2P2xVGeuzzTGqLjZqanjqrb+3Q30NhFiipqyf1wj/o3+1R EEWUj3GIxMr4AwQkqAbxf4zQ70glXmuwducrbtaGj0rfBNNzN4HPaiqusk1uqeoNqQEK xfUqgj3Bjb6iR62a1C3vl6HYgg/Oa6I4Rx9BMSSNgygnzutH0kMTjZkRbC70aNEaPqnW YNoZECYreVUxZwng7eE0EXxnp1RxXH2UqpSPOvWHXflptDoFyjHlTPeHNc3FeIvpPAxh gn4D5kbKyXrlNAaK/hGngD4UGJL6nUiw9HFRPuKaNgav78m9SO2HMNsdkJjNvfG6rOU3 ntmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=pwdwXch5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d14-v6si16474581pgl.258.2018.10.08.23.55.54; Mon, 08 Oct 2018 23:56:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=pwdwXch5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726562AbeJIOKz (ORCPT + 99 others); Tue, 9 Oct 2018 10:10:55 -0400 Received: from mail-qt1-f195.google.com ([209.85.160.195]:38226 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725861AbeJIOKy (ORCPT ); Tue, 9 Oct 2018 10:10:54 -0400 Received: by mail-qt1-f195.google.com with SMTP id l9-v6so487173qtf.5; Mon, 08 Oct 2018 23:55:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BS5tt/THeJBcPFOUVqP4NbqMJDRqihQtiGSeYhs7ywA=; b=pwdwXch5mWOcVH36UPH7IUa8pEGgsvwpeD5IKDKJ1C5fBWCFoyNMMz8gzjtOCbZj6V JTk4P+KSZ1JJC94AOlzL8HKT2nLVGeCrgACi0NFo7xA5A/2SeGokb8Yk/WT++o03htyY Su2qSOZoWyEnDBHbhrCXNpFYr8jb3QfloKDTWB8SXMCmWta0YOfLvHJCrvPvPOoMYXnx OHK6bcIvwfNZ1Hh4uIibEx0IBhFl7Zl6O/xYElkq0Qx1TnrW+9VOCc+SeYYkwrHscGLs vyvZGB3GiuyxBLF8lm5zlml0uuFjuYxlwRHCvUr68gsCsnPcVxQ6FQuDbwcOVl+bq2Kp VsUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BS5tt/THeJBcPFOUVqP4NbqMJDRqihQtiGSeYhs7ywA=; b=D2srCwHG2rO8Ky9jkzxLHeVaD+lmv1PnmQUiTogeQN+cuFgewNSN7nTpzXOA9Anjhf d+GYBUuSsuaawfjBQDnBIuqdoKDYxH5C7gUdrCUDVEy0pYaokKGIR+d66Eqs1Su88KYS jBEFpGIafIJAOO0gY2vSLQrY9G2hMPWG5al5RnszA2kYagyN0+1a+RXnxG0TXQdwoPYw Me7/5fhwHvVxeryL0dpoGCzDr8t94XFHv0fZJ1nEPEIFnX7KTx7J/OH10gVf73sc4Jsl Buhh2JstxmlXvidqizVPi6uis9mUv01MXIG182njslHG6lA4wbZ+xqQ/T4hYs98lBVK4 JbIQ== X-Gm-Message-State: ABuFfogk24iy8ZnZi2deeaIZpKjZGI3jLi/3fsVsY43Pfc33c3KbETWg jH1wpsuBcu4DFZab2y8afuxu3bJpIdvfW8QJsbc= X-Received: by 2002:a0c:8af5:: with SMTP id 50-v6mr7797458qvw.48.1539068127476; Mon, 08 Oct 2018 23:55:27 -0700 (PDT) MIME-Version: 1.0 References: <1538943795-30895-1-git-send-email-wang6495@umn.edu> <43898.1539033428@turing-police.cc.vt.edu> <9337.1539047240@turing-police.cc.vt.edu> In-Reply-To: <9337.1539047240@turing-police.cc.vt.edu> From: Song Liu Date: Mon, 8 Oct 2018 23:55:15 -0700 Message-ID: Subject: Re: [PATCH] bpf: btf: Fix a missing check bug To: valdis.kletnieks@vt.edu Cc: wang6495@umn.edu, kjlu@umn.edu, Alexei Starovoitov , Daniel Borkmann , Networking , open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 8, 2018 at 6:07 PM wrote: > > On Mon, 08 Oct 2018 17:44:46 -0700, Song Liu said: > > > I think I get the security concept here. However, hdr_len here is only used to > > copy the whole header into kernel space, and it is not used in other > > logic at all. > > I cannot image any security flaw with either hdr_len > btf->hdr->hdr_len case or > > hdr_len < btf->hdr->hdr_len. Could you please provide more insights on what > > would break by malicious user space? > > Say the biggest allowed value for hdr_len is 128. We check the value, the user has 98. > They then stuff 16,383 into there. > > Now here's the problem - hdr_len is a local variable, and evaporates when the function > returns. From here on out, anybody who cares about the header length will use the > value in btf->hdr_len.... > > (And yes, somebody *does* care about the length, otherwise we wouldn't need a field > saying what the length was....) > > Now think how many ways that can go pear-shaped. You copied in 98 bytes, but outside > the function, they think that header is almost 4 pages long. Does that ever get used as > a length for kmemcpy()? Or a limit for a 'for (i=start; i< (start+hdr->hdr_len); i++)' that > walks across a variable length header? > > Can you cook up a way to have a good chance to oops the kernel when it walks off the > page you allocated the 98 bytes on? Can you use it to export chunks of memory out to > userspace? Lots and lots of ways for this to kersplat a kernel...; In current code, I don't thing any malicious hdr_len value could pass btf_check_sec_info(). On the other hand, I agree this is a good-to-have check. Acked-by: Song Liu