diff mbox series

[SRU,Groovy,1/2] bpf, cgroup: Fix optlen WARN_ON_ONCE toctou

Message ID 20210218193937.29184-2-cascardo@canonical.com
State New
Headers show
Series CVE-2021-20194 | expand

Commit Message

Thadeu Lima de Souza Cascardo Feb. 18, 2021, 7:39 p.m. UTC
From: Loris Reiff <loris.reiff@liblor.ch>

A toctou issue in `__cgroup_bpf_run_filter_getsockopt` can trigger a
WARN_ON_ONCE in a check of `copy_from_user`.

`*optlen` is checked to be non-negative in the individual getsockopt
functions beforehand. Changing `*optlen` in a race to a negative value
will result in a `copy_from_user(ctx.optval, optval, ctx.optlen)` with
`ctx.optlen` being a negative integer.

Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
Signed-off-by: Loris Reiff <loris.reiff@liblor.ch>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Stanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/bpf/20210122164232.61770-1-loris.reiff@liblor.ch
(cherry picked from commit bb8b81e396f7afbe7c50d789e2107512274d2a35)
CVE-2021-20194
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 kernel/bpf/cgroup.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Colin King Feb. 18, 2021, 7:52 p.m. UTC | #1
On 18/02/2021 19:39, Thadeu Lima de Souza Cascardo wrote:
> From: Loris Reiff <loris.reiff@liblor.ch>
> 
> A toctou issue in `__cgroup_bpf_run_filter_getsockopt` can trigger a
> WARN_ON_ONCE in a check of `copy_from_user`.
> 
> `*optlen` is checked to be non-negative in the individual getsockopt
> functions beforehand. Changing `*optlen` in a race to a negative value
> will result in a `copy_from_user(ctx.optval, optval, ctx.optlen)` with
> `ctx.optlen` being a negative integer.
> 
> Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
> Signed-off-by: Loris Reiff <loris.reiff@liblor.ch>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Reviewed-by: Stanislav Fomichev <sdf@google.com>
> Link: https://lore.kernel.org/bpf/20210122164232.61770-1-loris.reiff@liblor.ch
> (cherry picked from commit bb8b81e396f7afbe7c50d789e2107512274d2a35)
> CVE-2021-20194
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>  kernel/bpf/cgroup.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index ac53102e244a..7bae3686603e 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
> @@ -1417,6 +1417,11 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
>  			goto out;
>  		}
>  
> +		if (ctx.optlen < 0) {
> +			ret = -EFAULT;
> +			goto out;
> +		}
> +
>  		if (copy_from_user(ctx.optval, optval,
>  				   min(ctx.optlen, max_optlen)) != 0) {
>  			ret = -EFAULT;
> 

Acked-by: Colin Ian King <colin.king@canonical.com>
diff mbox series

Patch

diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index ac53102e244a..7bae3686603e 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1417,6 +1417,11 @@  int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
 			goto out;
 		}
 
+		if (ctx.optlen < 0) {
+			ret = -EFAULT;
+			goto out;
+		}
+
 		if (copy_from_user(ctx.optval, optval,
 				   min(ctx.optlen, max_optlen)) != 0) {
 			ret = -EFAULT;