Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp83859ima; Thu, 25 Oct 2018 15:59:55 -0700 (PDT) X-Google-Smtp-Source: AJdET5fg6CsAuq664x6+ocfZ9bitkmdn0nXbql4EWI8QLFOgUuD4sxjVym+POQ5p28sDiuRxYalX X-Received: by 2002:a63:f412:: with SMTP id g18mr1042659pgi.262.1540508395540; Thu, 25 Oct 2018 15:59:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540508395; cv=none; d=google.com; s=arc-20160816; b=Yr1/UtNDRhgDVnz/+wpDj7Wyk9cD8LF+FqOHtxjiAb2mxGByPKnuG4pX022yQf6CG8 6BIhSbHtSAlMUguWMCnpzK0XJ0nb9vaoOBIKWlWhrso6XsOucPwQfZzWJUA/TAkuUsHY nB7oiij3289rM0eeOdO9EnzenE2lJwOIOCGY0MhqWRxQZQRjEoz1WF6QoM7giH56OUli hYh8W9RuEFYNul10ibB8OEz77U7kAegMiEyFzqsBLUKupW4hc8jfsBcPKF98PXYZ9iZv shtJQekpjRSGvJ11Cr6HucCKnsdlir6q6nLOG9y3mNWhVhMcp7V5QKGWjRvu/ohcVAA5 8PyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=XDDMAallNmv7GCNjwjEp03ZS2tAzgpxipgktTZnOKdE=; b=0IWn9JWQclgwtTH19Z5rtfAlea0Iqr5usI6lhhrgXqeCGLEH9Q4rBajkQAIrGKOuxa Tx59u4UJhhlauEuOqadyYGJD+6LZEwzhF7LOgE8eJIpRaSz7xgHLI5GDQDbbV424SZ2Z V3bWlhS9cf4GPkjkzGzlSsn52ZWR11s3SnselCQcOEWBWLKMPiUebl/liTYoX4W1BdIy 5CFW60kKF1E4aapoRNcdDhgaHt/6hyFhLc5cBLdlZyTvpZqghRlH3V3NVGdCn4RqtSm7 FJBBYsXBGIJ+clBYJyjQ0gQ1ksbu5y7bYkgxUMPR4VoxUBdSdTOxKsxVQFu0TX6I8W0C gxfA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n11-v6si8696531plk.333.2018.10.25.15.59.37; Thu, 25 Oct 2018 15:59:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727623AbeJZHdL (ORCPT + 99 others); Fri, 26 Oct 2018 03:33:11 -0400 Received: from www62.your-server.de ([213.133.104.62]:50448 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725790AbeJZHdL (ORCPT ); Fri, 26 Oct 2018 03:33:11 -0400 Received: from [78.46.172.2] (helo=sslproxy05.your-server.de) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from ) id 1gFoaG-0000OX-Jl; Fri, 26 Oct 2018 00:58:32 +0200 Received: from [62.203.87.61] (helo=linux.home) by sslproxy05.your-server.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1gFoaG-0008Ca-Eb; Fri, 26 Oct 2018 00:58:32 +0200 Subject: Re: [PATCH v2] bpf: btf: Fix a missing-check bug To: Martin Lau , Wenwen Wang Cc: Kangjie Lu , Alexei Starovoitov , "open list:BPF (Safe dynamic programs and tools)" , "open list:BPF (Safe dynamic programs and tools)" References: <1540386020-30680-1-git-send-email-wang6495@umn.edu> <20181024172514.l33dsaqdvs5yewvm@kafai-mbp> <20181024182239.lz7uicceihzmxabh@kafai-mbp> <20181024203548.glxgu3bqd47minmg@kafai-mbp> From: Daniel Borkmann Message-ID: <7a5a0bb9-ce61-b9e8-7362-32dac8823700@iogearbox.net> Date: Fri, 26 Oct 2018 00:58:31 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20181024203548.glxgu3bqd47minmg@kafai-mbp> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.100.2/25067/Wed Oct 24 23:01:03 2018) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/24/2018 10:42 PM, Martin Lau wrote: > On Wed, Oct 24, 2018 at 06:22:46PM +0000, Martin Lau wrote: >> On Wed, Oct 24, 2018 at 05:26:23PM +0000, Martin Lau wrote: >>> On Wed, Oct 24, 2018 at 08:00:19AM -0500, Wenwen Wang wrote: >>>> In btf_parse(), the header of the user-space btf data 'btf_data' is firstly >>>> parsed and verified through btf_parse_hdr(). In btf_parse_hdr(), the header >>>> is copied from user-space 'btf_data' to kernel-space 'btf->hdr' and then >>>> verified. If no error happens during the verification process, the whole >>>> data of 'btf_data', including the header, is then copied to 'data' in >>>> btf_parse(). It is obvious that the header is copied twice here. More >>>> importantly, no check is enforced after the second copy to make sure the >>>> headers obtained in these two copies are same. Given that 'btf_data' >>>> resides in the user space, a malicious user can race to modify the header >>>> between these two copies. By doing so, the user can inject inconsistent >>>> data, which can cause undefined behavior of the kernel and introduce >>>> potential security risk. >> btw, I am working on a patch that copies the btf_data before parsing/verifying >> the header. That should avoid this from happening but that will >> require a bit more code churns for the bpf branch. >> > It is what I have in mind: > > It is not a good idea to check the BTF header before copying the > user btf_data. The verified header may not be the one actually > copied to btf->data (e.g. userspace may modify the passed in > btf_data in between). Like the one fixed in > commit 8af03d1ae2e1 ("bpf: btf: Fix a missing check bug"). > > This patch copies the user btf_data before parsing/verifying > the BTF header. > > Fixes: 69b693f0aefa ("bpf: btf: Introduce BPF Type Format (BTF)") > Signed-off-by: Martin KaFai Lau I've added Co-developed-by tag and applied it to bpf tree, thanks everyone!