Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp2390447ima;
        Mon, 22 Oct 2018 09:00:25 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63qtalvWcOWQTzJ6xve5ZX1syD4hvKlbmlqoEUT6X5c0s1FT7/JrnfzkHp7ffOp6GLyRv9n
X-Received: by 2002:a17:902:5a43:: with SMTP id f3-v6mr13455221plm.114.1540224025716;
        Mon, 22 Oct 2018 09:00:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540224025; cv=none;
        d=google.com; s=arc-20160816;
        b=g5LK9MiuKzrbgZVhAsU18LvunfeHin4wjYWtyiKUY4gdRGdsU/fpmVtYyuJZzmqH4z
         rqa3WG8ETRj/LUPX3m4P6M5BNnl6sfsSy86dwBc6gN+SaI9hhe589drWF/6mJ3nurUsv
         qqLi2bGv1GaaNV9qSgSRRLCzT2Kq+BiGlODVHVM0bP7AVnNr/WmoaQZ4VyrHi4GW6+HI
         e/LOZztbRATY3x9nvaUHOr0zW1NCzADgcg0EFlUoWGQrzDdNnyCNz45gskfrjC0Eo5Vr
         w2mG40hFCyAe6jtJWF76FhxjmJJ9+kwgYCLrjHvjw3CClrNa7uP+xUaVo0haUlJCwok6
         lJDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=VnilPm5zaKWAf/CuXZT44JPcxCOnx3YMykk4czPJfR4=;
        b=ID0tBAh/Mvjqo5ecGZOgOFTQrXTiu+Ml30+r0uahDnSdJZARxe61OcAf3wS47R+kOh
         UoIO7XUtetsrCfflQmzrlh8I9X6lSn777Hn8zsh3eX6Uaka7d+/las/wuokfsQAxfAY3
         gSiVEp7McNQNkw6aQXrBB6RmiCVAjMHsMdr12d9V3KD6GMAJXrfGNAnGQw6TNYZO9bvX
         33NpwfGks1pD8XOPHflvo4izrLX1Hio0jgkna8fXoki/e4fOWdZhxnR4rIu+BfdXaOC8
         jC+lTYXx0F5bWUjQD0AUmN6Dc+w0VJOyrO0A0nd5Vp5EFM8fRHwOpHd5hHyqVBaZmFzu
         JV8w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Duz2xaOp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z189-v6si28788368pfz.32.2018.10.22.09.00.05;
        Mon, 22 Oct 2018 09:00:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Duz2xaOp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728530AbeJWAR3 (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Mon, 22 Oct 2018 20:17:29 -0400
Received: from mail-ua1-f67.google.com ([209.85.222.67]:33086 "EHLO
        mail-ua1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727787AbeJWAR3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Oct 2018 20:17:29 -0400
Received: by mail-ua1-f67.google.com with SMTP id j13so10151452ual.0;
        Mon, 22 Oct 2018 08:58:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=VnilPm5zaKWAf/CuXZT44JPcxCOnx3YMykk4czPJfR4=;
        b=Duz2xaOp43vKg8j/Sb1ECD+DAK+9PDJzBnaAbESs1JzvKMxw1ZIbcvu/rG77qIg5+E
         PCLbreDbPKHS/Wz6TzYBBFGZ+HkO6MM3x1KqGBjBKcKZ30tJyjATHinu/UR9TJxU3Ncu
         atriK+T+4tTNyICuzwWJdsth2yQb3q2ZT4TcmRf2OMzuC9ZYT+0oHRo1MACW5OIFIQrp
         i85gqJjvXO51cfcCy709eMvUCBK45CNBLno/QHkcIoPFrc0caV46k305rNFWTkOg7kjE
         SjIooqd28oo7ljm3ZMKZJiYkk5vg5qIXlFe9JJIL8pZVbcyq4ioDSUrvCYMKE5jGj1o8
         LvCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=VnilPm5zaKWAf/CuXZT44JPcxCOnx3YMykk4czPJfR4=;
        b=qpa6+/IsU/A5TRZf5HG2N13GHAA2jB+0LmzgYfzX6c5cw/zTS8Carnw5j03//EEleB
         +2HZJQZAx9N0oCXTImeymcgobatTPwxXgoaFvYLklGqhI22e1ep8lh5Ur2Ey/BEMCF31
         3t//b/A9CsmcPlR8WIN9Qp/oYNoBcCHiFQ6hrt2/zQ20jE5/k0TpoRWqCXlANPTy2Orb
         F8lOqQtG/h/B/w2Bf0NSnK0hLf+gYShsqqt2dwDqk/JC0oWHZF3rngVSz5cyP0bYH/pf
         wree7qT0fzvQsYHf6iLK98F20bGslnMt3SRygm5+/EragcL0SpeydL1bUaKC6l8ZzlXd
         ioeQ==
X-Gm-Message-State: ABuFfohhWDJXtuLBpiVjiSYPkbQq4q9nxYCy2lWysIgbhf4z9kh41P6T
        k/A77cTNZweGnYIHba+fQNZX+rdh3Ir/Iy6hp74=
X-Received: by 2002:ab0:3003:: with SMTP id f3mr20953820ual.80.1540223902463;
 Mon, 22 Oct 2018 08:58:22 -0700 (PDT)
MIME-Version: 1.0
References: <1539988191-13973-1-git-send-email-wang6495@umn.edu>
In-Reply-To: <1539988191-13973-1-git-send-email-wang6495@umn.edu>
From:   Y Song <ys114321@gmail.com>
Date:   Mon, 22 Oct 2018 08:57:46 -0700
Message-ID: <CAH3MdRV2qLj_3KHFYmCKYHMx2wZk_4mQrdvRJe+znXr3Astm8g@mail.gmail.com>
Subject: Re: [PATCH] bpf: btf: Fix a missing-check bug
To:     wang6495@umn.edu
Cc:     kjlu@umn.edu, Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        netdev <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Oct 19, 2018 at 3:30 PM Wenwen Wang <wang6495@umn.edu> wrote:
>
> In btf_parse(), the header of the user-space btf data 'btf_data' is firstly
> parsed and verified through btf_parse_hdr(). In btf_parse_hdr(), the header
> is copied from user-space 'btf_data' to kernel-space 'btf->hdr' and then
> verified. If no error happens during the verification process, the whole
> data of 'btf_data', including the header, is then copied to 'data' in
> btf_parse(). It is obvious that the header is copied twice here. More
> importantly, no check is enforced after the second copy to make sure the
> headers obtained in these two copies are same. Given that 'btf_data'
> resides in the user space, a malicious user can race to modify the header
> between these two copies. By doing so, the user can inject inconsistent
> data, which can cause undefined behavior of the kernel and introduce
> potential security risk.
>
> To avoid the above issue, this patch rewrites the header after the second
> copy, using 'btf->hdr', which is obtained in the first copy.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
>  kernel/bpf/btf.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 138f030..2a85f91 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -2202,6 +2202,9 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size,
>                 goto errout;
>         }
>
> +       memcpy(data, &btf->hdr,
> +               min_t(u32, btf->hdr.hdr_len, sizeof(btf->hdr)));

Could you restructure the code to memcpy the header followed by copying
the rest of btf_data with copy_from_user? This way, each byte is only
copied once.
Could you add some comments right before memcpy so later people will know
why we implement this way?

> +
>         err = btf_parse_str_sec(env);
>         if (err)
>                 goto errout;
> --
> 2.7.4
>