Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp811092ybb; Fri, 20 Mar 2020 08:27:04 -0700 (PDT) X-Google-Smtp-Source: ADFU+vud/pg8CswvUJ/XY/B1fmr2dbnRa7BykLuBc51epURZ9zmB0L+GjoFAJn1kYihYNBu6nwdi X-Received: by 2002:aca:4c57:: with SMTP id z84mr6869837oia.53.1584718024015; Fri, 20 Mar 2020 08:27:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584718024; cv=none; d=google.com; s=arc-20160816; b=k5Td83qTlu9Ms6kRRnKTQU5ZVQaXiecvQLNGu8AngT5tTPZC7tX7CkXaYPGbvtiXXR Xv+z62MvXra6b2Q82sf2cAyOhh5SCJYzmcA7o8aqjr1xaJHASr3ABH8g0ldbu2CSowY3 fOx7y91WEApx6hbQc7rwh4H0CKDVj3mulUI3t80JW1GQ6hGuKsp/aV9cTPfO5Y9TCQMw luwca6dXUxt347pkqzRaFl/hy5fmZVehscN+B0BMsEoa4WK9O7PB21uD49bSkklRwK10 rpHd5vY3WFwHqn/i2LITdTsATqDo7CsCAZCj7VmDTyj8AWtFdg7kG4c6oWXUoTcEIy3G CVqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=qbNFDnNzxwABHr8CABXNDV5wFvV7C8Ofp5KXx20KsyM=; b=pHNeUudixh15XajqvLka6ICb7tTXdSfsY+IaK0JZ+5s8AopQwrO/XjXbjnbzF3PBmF hBwF+NL7msvhE3IzH6FUb/jVyR+gc+wWu1AJuhfgGNzr24vVlvtD5JgwenXEJ6ToABVB zTeCiq/ml+YPND1WQ/2u8Z7HGEsbT0AhCD+OxeMZTdfH8ywhb1/k5uRz9C/Z64UQoKQN QedhJVZY2mQZfvr1VYjKXqvnh0vYTpILl0vL7rlIW4aHIygZ4ydesXmTMVMP1RY5TngF c/2Y9QXu6HXu/tnLWbKqLFKPqeYjIS8QwqE3+ECDa/fwahM1nKyi58ZDvLXiAgm6hqnA Uncw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 184si3013843oif.56.2020.03.20.08.26.45; Fri, 20 Mar 2020 08:27:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727558AbgCTPYh (ORCPT + 99 others); Fri, 20 Mar 2020 11:24:37 -0400 Received: from www62.your-server.de ([213.133.104.62]:54730 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726847AbgCTPYh (ORCPT ); Fri, 20 Mar 2020 11:24:37 -0400 Received: from sslproxy06.your-server.de ([78.46.172.3]) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from ) id 1jFJVh-00077o-EM; Fri, 20 Mar 2020 16:24:33 +0100 Received: from [85.7.42.192] (helo=pc-9.home) by sslproxy06.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jFJVh-000RXn-0E; Fri, 20 Mar 2020 16:24:33 +0100 Subject: Re: [PATCH] bpf: explicitly memset the bpf_attr structure To: Greg Kroah-Hartman , Alexei Starovoitov Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Andrii Nakryiko , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, =?UTF-8?Q?Maciej_=c5=bbenczykowski?= , John Stultz , Alexander Potapenko , Alistair Delva References: <20200320094813.GA421650@kroah.com> From: Daniel Borkmann Message-ID: <3bcf52da-0930-a27f-60f9-28a40e639949@iogearbox.net> Date: Fri, 20 Mar 2020 16:24:32 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <20200320094813.GA421650@kroah.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.102.2/25757/Fri Mar 20 14:13:59 2020) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/20/20 10:48 AM, Greg Kroah-Hartman wrote: > For the bpf syscall, we are relying on the compiler to properly zero out > the bpf_attr union that we copy userspace data into. Unfortunately that > doesn't always work properly, padding and other oddities might not be > correctly zeroed, and in some tests odd things have been found when the > stack is pre-initialized to other values. > > Fix this by explicitly memsetting the structure to 0 before using it. > > Reported-by: Maciej Żenczykowski > Reported-by: John Stultz > Reported-by: Alexander Potapenko > Reported-by: Alistair Delva > Cc: stable > Link: https://android-review.googlesource.com/c/kernel/common/+/1235490 > Signed-off-by: Greg Kroah-Hartman > --- > kernel/bpf/syscall.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index a91ad518c050..a4b1de8ea409 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -3354,7 +3354,7 @@ static int bpf_map_do_batch(const union bpf_attr *attr, > > SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size) > { > - union bpf_attr attr = {}; > + union bpf_attr attr; > int err; > > if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) > @@ -3366,6 +3366,7 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz > size = min_t(u32, size, sizeof(attr)); > > /* copy attributes from user space, may be less than sizeof(bpf_attr) */ > + memset(&attr, 0, sizeof(attr)); Thanks for the fix, there are a few more of these places. We would also need to cover: - bpf_prog_get_info_by_fd() - bpf_map_get_info_by_fd() - btf_get_info_by_fd() Please add these as well to your fix. > if (copy_from_user(&attr, uattr, size) != 0) > return -EFAULT; > > > base-commit: 6c90b86a745a446717fdf408c4a8a4631a5e8ee3 >