Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp486677ima; Wed, 24 Oct 2018 04:39:27 -0700 (PDT) X-Google-Smtp-Source: AJdET5cMkQIlacVO9a4KjRiK0lSWuPRGNMS+q6DyUtKRAZBoiS2ruCcEEpLLPwGcoVAGGgver/5s X-Received: by 2002:a63:f844:: with SMTP id v4mr2207400pgj.82.1540381167202; Wed, 24 Oct 2018 04:39:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540381167; cv=none; d=google.com; s=arc-20160816; b=S43GSb1TWy1psgyGRik4xZxru+7JQz6LttTeGiTphP5N/4hkZob9xdq8TpXMRlx8B/ 9s2vbVSQ2y5uIuw/DjwRCBAtHB+95O5Gt6kB5JUkxDJX0x8ZY+UBJvPPAiXAoJHfu9kn Zr+3xGPi/4vNe7TqaQCOTZay4EGk/j9ihUYfiTjjC8/oevKfNA6GdMcpK3Wmo1XzN4mV /qj+30O7WOHGGxKNnRRuEXCWRqXzGFdlqVi+Mp288NVgeRNdmtZACgazEw0z7a97Xd3r mbD0E3BAtgknOs1RVlxTv/R1+pjxNxDq6SKhISyNO/dc5DjVtWfI7pWcSQ/waFxeF9U4 D93w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=cHvGJcW080E9AciEyiN4kdcmUkq6ds/Xv5QLYwkjeF0=; b=bdU7Vu9iEHAbk1diWbJhckpSi4PDFqSzowyS/JsdQTnNy+t/sShVR+b66090vRrTuX 2BXSrd1YPXB3CIVGsH70cOu6AkVKcS+mdyuM51cb2cgZFQaG6GiXyXXoR8vLTnZReucR 1h5ei5KVPL4yXXkLJ05qiE09VWjYbL5g7JtNYiVYONLcr+AtdX87oI0PzuF2guXmkVvE KQbfpCv6OeHPQydw5mTWQ4EPJeF2ijx6H1hB6xpndkYc6nzNDFZlBsKOJi93GImcZmrm XKQpViNMBsppkF/uEPUvUnXYMaryfXCA47+OpcVVVHYIvij06d6fjTPVqIme69T/k0PQ zUnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b="VMD9SF/Z"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j7-v6si4385515pgj.532.2018.10.24.04.39.08; Wed, 24 Oct 2018 04:39:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b="VMD9SF/Z"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727642AbeJXUE6 (ORCPT + 99 others); Wed, 24 Oct 2018 16:04:58 -0400 Received: from mta-p2.oit.umn.edu ([134.84.196.202]:39196 "EHLO mta-p2.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726898AbeJXUE6 (ORCPT ); Wed, 24 Oct 2018 16:04:58 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p2.oit.umn.edu (Postfix) with ESMTP id 9E7D05EF; Wed, 24 Oct 2018 11:37:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:in-reply-to:references:mime-version:received:received :received; s=20160920; t=1540381030; x=1542195431; bh=z9XQ4VzQJc Kps+aHG/lxTfnSLjuJ7rmPgK6CLxLMwTk=; b=VMD9SF/Zu9b9ZB54yNZQzfG4kf /DTdEEvhOwpRHwgQSFWw7XKciVrqii1GCfNwNtOXM3qVd1lHNg30/jpeSgSVMf+f /Wg0w6+ojo7fr7o3vww9uwu27moVBhkrZAGvdd7Z0OUh1FGkcGch/qhQCFVJqtFw WGCM8RzKPY2r3VI0KXgBfWw02cNo5AUKbhPpAruTbaBaPmUUU5iMaaainzKPDt7m V1Bg3Zq2yn9GAkkZaEX6vdOJJYa6wAb/bHvBmg16yn62cL4QQ2VYQMrWZot0DCS9 q0svX1luAh/R1cM6ZKhL9OdcKhQfDc+W+7h5k6pBf681wQG72/TVNSZh49ZQ== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p2.oit.umn.edu ([127.0.0.1]) by localhost (mta-p2.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ARbr8hRRwtQH; Wed, 24 Oct 2018 06:37:10 -0500 (CDT) Received: from mail-io1-f41.google.com (mail-io1-f41.google.com [209.85.166.41]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p2.oit.umn.edu (Postfix) with ESMTPSA id 512A5523; Wed, 24 Oct 2018 06:37:10 -0500 (CDT) Received: by mail-io1-f41.google.com with SMTP id l25-v6so2934189ioj.0; Wed, 24 Oct 2018 04:37:10 -0700 (PDT) X-Gm-Message-State: AGRZ1gLHoeTLBolwYoV+kQr25aAfgmyz7EKqAZwaPxZssET5GFb5XyAg n+Irbq2zUqRcy9aQA1kdIFr0uDFD40JjyQVPjUQ= X-Received: by 2002:a6b:7e07:: with SMTP id i7-v6mr3388740iom.16.1540381029995; Wed, 24 Oct 2018 04:37:09 -0700 (PDT) MIME-Version: 1.0 References: <1539988191-13973-1-git-send-email-wang6495@umn.edu> In-Reply-To: From: Wenwen Wang Date: Wed, 24 Oct 2018 06:36:33 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] bpf: btf: Fix a missing-check bug To: daniel@iogearbox.net Cc: ys114321@gmail.com, Kangjie Lu , ast@kernel.org, "open list:NETWORKING [GENERAL]" , open list , Wenwen Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 24, 2018 at 4:39 AM Daniel Borkmann wrote: > > Hi Wenwen, > > On 10/22/2018 05:57 PM, Y Song wrote: > > On Fri, Oct 19, 2018 at 3:30 PM Wenwen Wang wrote: > >> > >> In btf_parse(), the header of the user-space btf data 'btf_data' is firstly > >> parsed and verified through btf_parse_hdr(). In btf_parse_hdr(), the header > >> is copied from user-space 'btf_data' to kernel-space 'btf->hdr' and then > >> verified. If no error happens during the verification process, the whole > >> data of 'btf_data', including the header, is then copied to 'data' in > >> btf_parse(). It is obvious that the header is copied twice here. More > >> importantly, no check is enforced after the second copy to make sure the > >> headers obtained in these two copies are same. Given that 'btf_data' > >> resides in the user space, a malicious user can race to modify the header > >> between these two copies. By doing so, the user can inject inconsistent > >> data, which can cause undefined behavior of the kernel and introduce > >> potential security risk. > >> > >> To avoid the above issue, this patch rewrites the header after the second > >> copy, using 'btf->hdr', which is obtained in the first copy. > >> > >> Signed-off-by: Wenwen Wang > >> --- > >> kernel/bpf/btf.c | 3 +++ > >> 1 file changed, 3 insertions(+) > >> > >> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c > >> index 138f030..2a85f91 100644 > >> --- a/kernel/bpf/btf.c > >> +++ b/kernel/bpf/btf.c > >> @@ -2202,6 +2202,9 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size, > >> goto errout; > >> } > >> > >> + memcpy(data, &btf->hdr, > >> + min_t(u32, btf->hdr.hdr_len, sizeof(btf->hdr))); > > > > Could you restructure the code to memcpy the header followed by copying > > the rest of btf_data with copy_from_user? This way, each byte is only > > copied once. > > Could you add some comments right before memcpy so later people will know > > why we implement this way? > > Thanks for the fix! Agree with Yonghong that we should rework this a bit, so > please respin a v2 with the feedback addressed, thanks. Hi Yonghong and Daniel, Thanks for your suggestions! No problem, I will work on the v2 and resubmit the patch. Wenwen