Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp446234imm; Tue, 9 Oct 2018 21:48:26 -0700 (PDT) X-Google-Smtp-Source: ACcGV63000/Sbxz3ezSpPwKfKrVf2JXcCBnWYsSqMce+IC88UCHFtSJcJtZAuvMxx94B7gF830y9 X-Received: by 2002:a63:f110:: with SMTP id f16-v6mr28460073pgi.236.1539146906809; Tue, 09 Oct 2018 21:48:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539146906; cv=none; d=google.com; s=arc-20160816; b=JC8nOH6couDS4Wcbaffwy++wNUq8T0V14PAbz48LQbwoQ9tUe5ts2h5ySnhZosaDw4 SIi0/ve1H9QOBYbANEqa761/fwZn51xBJOCxpzSmWKJUlr1UiTS14dscJ8G9LlAjfi2P 5wskhrOlXvvdksCCYPOAp8nc1twmNcZzYp2WvnjyKyupO1umUP/4lo2SRLy/c27PVFUd uuQL3CHE3w4IQyPJoqLYK4pgiLvcS8RzlfAhMpZ7XFz8tfIrL0WPQAzFDHAKk+INavbg sWjxmKLfygApHyAf3tYsZQmeTVQ7F8ccVwiXm363BCcqiOSru3LIZn+teY1OntfrfL5B hRfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=6iQMS6k+ft+38zYvnYydH29GFFaar9ix12xEzaKsbkk=; b=AJo9cIjouI2zEsdfLsCNqs/jiEbCVpkE1i42OTNvYFkAkjCCUbG4dNa6GDRA0oT9bz LUDvmQ2rqBEIOgL57134E+6sVYAjfDQrv42GEzaYNvD8BNZy9VM9hgXLxZg8oK2NRG/a Jq/9En4JNglcsZwtFbD3pQEJH8Kwojcq8K3GztQzNi/WLnNFcA+YujAoCaNN2XmszGvP ZmxJCq++Q+lKDesoraFyCQ0WegxE+hYKZSgLO6gv6kEz5w5iC7Qn2+l2Rw2kvNN0fvpz VVNDAj3hsfU72P37dRsVUyxmfuWSDM33u/7w4G4KHwPW5s5Yxtau251OjYfs6te6libR LAYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="MfDF9hZ/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q22-v6si23391746pgc.393.2018.10.09.21.48.11; Tue, 09 Oct 2018 21:48:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="MfDF9hZ/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727215AbeJJMH6 (ORCPT + 99 others); Wed, 10 Oct 2018 08:07:58 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:38634 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726647AbeJJMH6 (ORCPT ); Wed, 10 Oct 2018 08:07:58 -0400 Received: by mail-pl1-f195.google.com with SMTP id b5-v6so1898297plr.5; Tue, 09 Oct 2018 21:47:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=6iQMS6k+ft+38zYvnYydH29GFFaar9ix12xEzaKsbkk=; b=MfDF9hZ/d9s930ycO84n0Hqf7UIl1J9Yhn4XLs2e+Ad95RqyY1BaRhjnQo7qeTbkQy uOmMJryPETcCFhguL4BWWNwaHrGDSxgM0H9M7vlTD2rlxn55LLdkgN/n6J1v8SC084b9 ssFFW7ndngTvoh9oHgEPu0zm1G8et8dH8X6Hqjp6kCJlOuixIcIGSpEI4hpgpQy7nNkR 4xnhgD/G2fIhUo8Z5Q6I+S3T3tczJrFCpuXFp6upclER80lCd93TAdzRFCSh7meI6fOP aAogMIMyZbxHM/YyKNrAmZSAMPswpyAf7R7Pmno3qbxACsAexQ2fmIMsKyDbCZzveZ5W SGPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=6iQMS6k+ft+38zYvnYydH29GFFaar9ix12xEzaKsbkk=; b=r9LN2ZH+08QlpG4Lsodd3GxqOwK+V+f7GEl8cwgPfWL9ZGPWu0m2hipErdC8f9pL1h 5uRQKEvYtVpqKQGbHHXSNCtc1BT8yEuRzve6NRTKpO3IomgYdhIcHSoTJ1dnutmzPzQr lH2YL3ftJ59eKaTsscsUUhWFpr+76qn8uXxjRJDf6+S+UPE3LQAzp6bCWdBRhPmEF7K5 G7Gc8hwrMs4EY0URwWEKnAG7rzrbuwLbOrWMhCQPg1qvhYWx96diyZnwhANHw1fBJgyJ oe/UlavIMfHRL8KopB0JJvOCqR4QibDs6gNK9oX6JJ11waWoJg8pg9RrDxlo2aLcW9dy zq0A== X-Gm-Message-State: ABuFfoj9lman4zFKKlpxFmeAVc/P3Rt94tZ3cGbzZdj/gh5LvHay+ll0 LIlF3qr+eJgeuIRQ1IGI5uFkQBRM X-Received: by 2002:a17:902:8e81:: with SMTP id bg1-v6mr31794562plb.129.1539146859814; Tue, 09 Oct 2018 21:47:39 -0700 (PDT) Received: from ast-mbp.dhcp.thefacebook.com ([2620:10d:c090:180::1:4706]) by smtp.gmail.com with ESMTPSA id l83-v6sm55676568pfi.172.2018.10.09.21.47.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Oct 2018 21:47:38 -0700 (PDT) Date: Tue, 9 Oct 2018 21:47:36 -0700 From: Alexei Starovoitov To: Song Liu Cc: valdis.kletnieks@vt.edu, wang6495@umn.edu, kjlu@umn.edu, Alexei Starovoitov , Daniel Borkmann , Networking , open list Subject: Re: [PATCH] bpf: btf: Fix a missing check bug Message-ID: <20181010044735.akxel4pjncafpjcf@ast-mbp.dhcp.thefacebook.com> References: <1538943795-30895-1-git-send-email-wang6495@umn.edu> <43898.1539033428@turing-police.cc.vt.edu> <9337.1539047240@turing-police.cc.vt.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180223 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 08, 2018 at 11:55:15PM -0700, Song Liu wrote: > On Mon, Oct 8, 2018 at 6:07 PM wrote: > > > > On Mon, 08 Oct 2018 17:44:46 -0700, Song Liu said: > > > > > I think I get the security concept here. However, hdr_len here is only used to > > > copy the whole header into kernel space, and it is not used in other > > > logic at all. > > > I cannot image any security flaw with either hdr_len > btf->hdr->hdr_len case or > > > hdr_len < btf->hdr->hdr_len. Could you please provide more insights on what > > > would break by malicious user space? > > > > Say the biggest allowed value for hdr_len is 128. We check the value, the user has 98. > > They then stuff 16,383 into there. > > > > Now here's the problem - hdr_len is a local variable, and evaporates when the function > > returns. From here on out, anybody who cares about the header length will use the > > value in btf->hdr_len.... > > > > (And yes, somebody *does* care about the length, otherwise we wouldn't need a field > > saying what the length was....) > > > > Now think how many ways that can go pear-shaped. You copied in 98 bytes, but outside > > the function, they think that header is almost 4 pages long. Does that ever get used as > > a length for kmemcpy()? Or a limit for a 'for (i=start; i< (start+hdr->hdr_len); i++)' that > > walks across a variable length header? > > > > Can you cook up a way to have a good chance to oops the kernel when it walks off the > > page you allocated the 98 bytes on? Can you use it to export chunks of memory out to > > userspace? Lots and lots of ways for this to kersplat a kernel...; > > In current code, I don't thing any malicious hdr_len value could pass > btf_check_sec_info(). > On the other hand, I agree this is a good-to-have check. > > Acked-by: Song Liu I agree with Song's analysis that the current shape of code in btf_check_sec_info() has us covered, but it's a good coding style to check for TOCTOU like this, hence applied to bpf-next.