Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp568785ima; Wed, 24 Oct 2018 06:01:19 -0700 (PDT) X-Google-Smtp-Source: AJdET5db5fTdxWfizWTYtwmvbqvdA8/MxxW1S4pOdgAlT0ZdylbtseFuNKRy9INPQxWGs3IlzTMe X-Received: by 2002:a63:78cc:: with SMTP id t195-v6mr2465213pgc.329.1540386079441; Wed, 24 Oct 2018 06:01:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540386079; cv=none; d=google.com; s=arc-20160816; b=vrMj5xwmS4t69xpBYXoMEuVNUaNhQp5SC7igNuog3fJphj3geu2j0XcQq/IeoolQcw ReMycJFa8tAok1jXJ3EHJumvUBbU13pgoT1m2bfFHFxM3mVTt5Ng4UdqsWguYg2lnefs 1hXDbBIzg6Dtd0pywQTgylFKSqEjROfkYyLHqQsuaFG4wTfo9lryWc3ky+JUU5X+rrtd TEAChv+yYBhDp+3QuzDUNzb0pOJGyB4i/eW2eYykf7DNZmmc5urMuNDxGGZMxI5qjbje kq74dyFwObpZw2JkI4TKtKeuB+cSZ57AIxqcDSCHlJbxtTTTOjOqW3lS9eaqDIPp4+8N IWdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=Rwcky7LJkVmyfsGGJtlYEZ51gfnlASc6OrvnfxFV96c=; b=AFXi37gNvX4Fkv8yn8e3cNGXOdR9AGPDvBKXZGAp0f1jd4sRQjAMDCApX6tpd08WSX GAbUYnQw8WxlxZL4MLDW83CGUg0ArIijq1CTSjORb9aKK01j/eZFmYMtOAUPScuVZwZi OZ7bMZPnbcbuEeyFzip49nPcYyCEI+kfeHwrKmwRb3X3BT4v2sI5BCkkcqzs+FMM1zQk tJph1PiKn3LxqmkGID3triboyhGaJ4Pk0JGW1Pph08OsFprzQS90Dwo/6dEuObNypDJE 07+aLxlbYzNM7CZ2jdW81rMlN90k6eCD69EFoeawM5NyGKbQxonNYH9o8Td+JRPsarAi QPsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=Mmgvb709; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g9-v6si4711356pgn.480.2018.10.24.06.01.00; Wed, 24 Oct 2018 06:01:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=Mmgvb709; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727764AbeJXV2c (ORCPT + 99 others); Wed, 24 Oct 2018 17:28:32 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:34634 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727508AbeJXV2c (ORCPT ); Wed, 24 Oct 2018 17:28:32 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 4592D14A for ; Wed, 24 Oct 2018 13:00:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k1NYrGFrOo2S for ; Wed, 24 Oct 2018 08:00:29 -0500 (CDT) Received: from mail-it1-f197.google.com (mail-it1-f197.google.com [209.85.166.197]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 182D8185 for ; Wed, 24 Oct 2018 08:00:29 -0500 (CDT) Received: by mail-it1-f197.google.com with SMTP id v125-v6so4831232ita.7 for ; Wed, 24 Oct 2018 06:00:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=Rwcky7LJkVmyfsGGJtlYEZ51gfnlASc6OrvnfxFV96c=; b=Mmgvb709BEIXK4CV82w0fH7biqrRt8DJRubbULl/KgABtDQNp5wxzZsJ82tnBf7K8H q/U6V9EF4STv+MI5dZKZqkjaWgRvf8kZIfLToYB6H1uCjaE2eyRHySTADP8vtx72hIEB TB2hsZUgLTxrqqc995jfi81yyxVARRZK2sQ0J83DwzRJca02QqIoXOnb4S3OuIat7Y9Q Se2GGtXlTO5LXlNbNygA/Z6t1adortrkF/XLamqILAFcOlzLayNZ9wNdwcW2CeLiUoBL xmi2b/OaS+8xhTLi260xcK40SOix7WVFnvywfnx8WhT3rq7Zb2RVKTVHjE0MKaW7Xk/h cshw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Rwcky7LJkVmyfsGGJtlYEZ51gfnlASc6OrvnfxFV96c=; b=ftk5cFqvIQdYm4tMTGXcMzrBK2/mbr6lEpQauJIwpAJsl8HuxZT1y6O7qIv8NIVWj9 srQ9Kyl500FFZW2+C+JGZHnYlOhMcQOMShRc9yz9CncXCgmCkBIHfJ117Fn5P48JkEOz T47FPLVvzcf4x3dbF+L+TKhegJf3pCcEetL5kYsd4vwYOvGcRLjC5DIwebJODI0+QWyh pn2RNRdwdbQyTmVGCA9nODTCW6yf4IZ41foRsR81SFKHVnFCtjX4K09vdKwVwAA+JRyA A9z8aMdEaTpbgcntHdyYwIwR+QQZGBHGwzNFvft804no9mT2ydnZ8IaO+LOdFJ1DuXBo /hoQ== X-Gm-Message-State: AGRZ1gLrzS8FC/bIbQSa22xphP++GLR2K5QL+uDFGTpSmpbg0wHOD21B 91i+bH0pV0FXV4kDghZq9+1sZW21DIiu6R+aVTWw7WhBHYGB0cj1EGhnoal6FIa3TufijQvExTV IP9/U2OalSz4BtkzWsYIZn6SMcSxK X-Received: by 2002:a6b:b8d4:: with SMTP id i203-v6mr13902390iof.287.1540386028700; Wed, 24 Oct 2018 06:00:28 -0700 (PDT) X-Received: by 2002:a6b:b8d4:: with SMTP id i203-v6mr13902378iof.287.1540386028494; Wed, 24 Oct 2018 06:00:28 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id 4-v6sm1638282ioy.55.2018.10.24.06.00.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 24 Oct 2018 06:00:27 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Alexei Starovoitov , Daniel Borkmann , netdev@vger.kernel.org (open list:BPF (Safe dynamic programs and tools)), linux-kernel@vger.kernel.org (open list:BPF (Safe dynamic programs and tools)) Subject: [PATCH v2] bpf: btf: Fix a missing-check bug Date: Wed, 24 Oct 2018 08:00:19 -0500 Message-Id: <1540386020-30680-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In btf_parse(), the header of the user-space btf data 'btf_data' is firstly parsed and verified through btf_parse_hdr(). In btf_parse_hdr(), the header is copied from user-space 'btf_data' to kernel-space 'btf->hdr' and then verified. If no error happens during the verification process, the whole data of 'btf_data', including the header, is then copied to 'data' in btf_parse(). It is obvious that the header is copied twice here. More importantly, no check is enforced after the second copy to make sure the headers obtained in these two copies are same. Given that 'btf_data' resides in the user space, a malicious user can race to modify the header between these two copies. By doing so, the user can inject inconsistent data, which can cause undefined behavior of the kernel and introduce potential security risk. To avoid the above issue, this patch copies the parsed header from 'btf->hdr' to 'data'. The remaining part in 'data' is still copied from the user-space 'btf_data'. Signed-off-by: Wenwen Wang --- kernel/bpf/btf.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 378cef7..b52a834a 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -2152,6 +2152,7 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size, struct btf_verifier_env *env = NULL; struct bpf_verifier_log *log; struct btf *btf = NULL; + u32 hdr_len; u8 *data; int err; @@ -2200,7 +2201,15 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size, btf->data_size = btf_data_size; btf->nohdr_data = btf->data + btf->hdr.hdr_len; - if (copy_from_user(data, btf_data, btf_data_size)) { + /* + * The header at btf_data could be modified by a malicious user + * after it is parsed. So we copy the parsed header here. The + * remaining part is still copied from btf_data. + */ + hdr_len = min_t(u32, btf->hdr.hdr_len, sizeof(btf->hdr)); + memcpy(data, &btf->hdr, hdr_len); + if (copy_from_user(data + hdr_len, (u8 __user *)btf_data + hdr_len, + btf_data_size - hdr_len)) { err = -EFAULT; goto errout; } -- 2.7.4