Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3697380imm; Fri, 19 Oct 2018 15:31:56 -0700 (PDT) X-Google-Smtp-Source: ACcGV63dVj0XvwhcLQefEM1iML2S9nLHzbrxfuT8YDqnBJIR39v6At4b463IPpuT1/ahnvO1YFzw X-Received: by 2002:a17:902:b198:: with SMTP id s24-v6mr34213414plr.70.1539988316344; Fri, 19 Oct 2018 15:31:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539988316; cv=none; d=google.com; s=arc-20160816; b=flpgb1jdK3Sx8qTzmuGNqc4uo3WJrGusxxAII2PxmibLo2CeZQCXWDtqF1M9JxcS5Z Yb85BlpdqMnJZdrMZL8g3PjgikyNM2p1GhQYeVf1N5vjA9rietbfb1rEjR6dAsN8+Sd6 oPceH8mZQBVqrVsVfdcDClDS9zlrlwYKy4iEm39V0mMxodXiJUi+zQ5cxx+ohRMRKZiF w80h1zENuijtpbwkHVHYhririFwKCj4odGIaXCRhfwbqTf+8z73rAK/5euFEhcJH7Bao guSVhr5yecg/oBEOFJDefk6F06+ABdCaa6FQtqaq6Tgt881NIEx4gfs0nUQMM8pGaehM PJjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=iwvFF46/7+gW82As8qzTKaOAJqB0Pe9GkSWO9/Fnfow=; b=0rLQj9SqmdFv+iOxszvJWBw3z9F1wvRTkjmUbay1N3fJ4s3D2gn/uYcrc+BYoqfp/K mHoYLvaEEI6uv1LyJ/bBpwGezc1YfsWJ11EOf84UfvxlQM8DccoyUq5/0riBmL9grFjG VjeVcGIuFfC1HKF45kr9lZuHtBGxQSz5Jc7XoQnd4EPgI9FsS+3S1endUWEpUrtx4bBQ xpUx+HmJSBM+qLFG2fycD5sv3khpqtxIRxh6NZYvg7eT4UzBdNlmvvoxlTTBYY8dggGe nHhYxY9H1v6NRMYZOzhNj3YF/hZcZ4J4b9ch9q7Yv0uzrqot69DCJVdpt3uVuRu61g5I B7qg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b="O3ck/LdX"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z7-v6si26402139pgi.178.2018.10.19.15.31.40; Fri, 19 Oct 2018 15:31:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b="O3ck/LdX"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726967AbeJTGh7 (ORCPT + 99 others); Sat, 20 Oct 2018 02:37:59 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:59018 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726321AbeJTGh7 (ORCPT ); Sat, 20 Oct 2018 02:37:59 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id C2AF95B7 for ; Fri, 19 Oct 2018 22:29:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zBCdz86ay1Ix for ; Fri, 19 Oct 2018 17:29:59 -0500 (CDT) Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 96F3F51F for ; Fri, 19 Oct 2018 17:29:59 -0500 (CDT) Received: by mail-io1-f69.google.com with SMTP id c5-v6so32279309ioa.0 for ; Fri, 19 Oct 2018 15:29:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=iwvFF46/7+gW82As8qzTKaOAJqB0Pe9GkSWO9/Fnfow=; b=O3ck/LdXidoDW4O+gYfKmoTbn385UsyeIAQNI5Nc8QHAiGI5WkOIYjaArR6/iyZp5S V7Y0rzJmliPAVfg5CCpVAVFgd3jS7xFdcGgrne0O+ikEx4GUp7YS2lHdkElg9CP47b1k UvD1tDOtPlD4V063FT2ZCphERCVxs/QQE9MZRQnzRh4GFMkZFKCF8F3dkZjFB7NSezvL J+vxGXtJcLRQo6NOOF+r/ZB+7Z/Ew14jp6Y7tcePrJ9ekLOBlGMGkJIpcy/9CFXh86kZ uJoppB2ePYWsrWIG75NeiVSaKUYdRpoR33c5JI6YlRBjmaXYefPE4LYAhNlBTtt9RmYp TitA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=iwvFF46/7+gW82As8qzTKaOAJqB0Pe9GkSWO9/Fnfow=; b=egZoTNSU8DTIMPxsn2zebjKe40mC5kbdNy/EJwGpjh2GPKwjCm5W0JR58cQt0mF0hL Kjw9KKYcmctZcBbLBvRfZ3NpuBP4HBC+SFmIB5ISufbMr0J1BTJYARifFEhx7eIzBVrg ZC9p7E0dLFxZ7aqZQIjmHuNwfv341XURkdznReQ4jhYV06+FsRDzFemhUE+bMs0dTICy SU7k1rB2wh95c9QrTFKMReJFZNCxaa36fimNjdWxxHEcfinxOWZoJ6FMyhuQkaNqj5TX QxCouRFIWLTz204st8sj2q5kMcWJ6gYKCho0YnuhMe3UpY9CEuALmtNmpwguGh933zkz mNxA== X-Gm-Message-State: ABuFfoil6vltO/N9WOpnlNC1NF4k4XYSqPKIj5ahlCtzvut7m09J/DDQ 450uGOUcOcQXuSaixSAFj7Gupfd3OOs1SXHLQb3bXaIfbIU5xt3f182Xb9VA2gQV2EmmDwdP5dt pR46KJkxMNWQe+9JLU/kU21cJeKbE X-Received: by 2002:a24:d2c4:: with SMTP id z187-v6mr4273009itf.9.1539988199282; Fri, 19 Oct 2018 15:29:59 -0700 (PDT) X-Received: by 2002:a24:d2c4:: with SMTP id z187-v6mr4273002itf.9.1539988199102; Fri, 19 Oct 2018 15:29:59 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id 82-v6sm1691384ita.17.2018.10.19.15.29.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 19 Oct 2018 15:29:58 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Alexei Starovoitov , Daniel Borkmann , netdev@vger.kernel.org (open list:BPF (Safe dynamic programs and tools)), linux-kernel@vger.kernel.org (open list:BPF (Safe dynamic programs and tools)) Subject: [PATCH] bpf: btf: Fix a missing-check bug Date: Fri, 19 Oct 2018 17:29:51 -0500 Message-Id: <1539988191-13973-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In btf_parse(), the header of the user-space btf data 'btf_data' is firstly parsed and verified through btf_parse_hdr(). In btf_parse_hdr(), the header is copied from user-space 'btf_data' to kernel-space 'btf->hdr' and then verified. If no error happens during the verification process, the whole data of 'btf_data', including the header, is then copied to 'data' in btf_parse(). It is obvious that the header is copied twice here. More importantly, no check is enforced after the second copy to make sure the headers obtained in these two copies are same. Given that 'btf_data' resides in the user space, a malicious user can race to modify the header between these two copies. By doing so, the user can inject inconsistent data, which can cause undefined behavior of the kernel and introduce potential security risk. To avoid the above issue, this patch rewrites the header after the second copy, using 'btf->hdr', which is obtained in the first copy. Signed-off-by: Wenwen Wang --- kernel/bpf/btf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 138f030..2a85f91 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -2202,6 +2202,9 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size, goto errout; } + memcpy(data, &btf->hdr, + min_t(u32, btf->hdr.hdr_len, sizeof(btf->hdr))); + err = btf_parse_str_sec(env); if (err) goto errout; -- 2.7.4