From patchwork Fri Oct 19 22:29:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 987089 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=umn.edu Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=umn.edu header.i=@umn.edu header.b="O3ck/LdX"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42cLFp71Crz9t0P for ; Sat, 20 Oct 2018 09:30:06 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726895AbeJTGh7 (ORCPT ); Sat, 20 Oct 2018 02:37:59 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:40030 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726403AbeJTGh7 (ORCPT ); Sat, 20 Oct 2018 02:37:59 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id C71DB542 for ; Fri, 19 Oct 2018 22:29:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kCTjQddU8fmY for ; Fri, 19 Oct 2018 17:29:59 -0500 (CDT) Received: from mail-it1-f199.google.com (mail-it1-f199.google.com [209.85.166.199]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 94ACB6A3 for ; Fri, 19 Oct 2018 17:29:59 -0500 (CDT) Received: by mail-it1-f199.google.com with SMTP id d10so5418791itk.3 for ; Fri, 19 Oct 2018 15:29:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=iwvFF46/7+gW82As8qzTKaOAJqB0Pe9GkSWO9/Fnfow=; b=O3ck/LdXidoDW4O+gYfKmoTbn385UsyeIAQNI5Nc8QHAiGI5WkOIYjaArR6/iyZp5S V7Y0rzJmliPAVfg5CCpVAVFgd3jS7xFdcGgrne0O+ikEx4GUp7YS2lHdkElg9CP47b1k UvD1tDOtPlD4V063FT2ZCphERCVxs/QQE9MZRQnzRh4GFMkZFKCF8F3dkZjFB7NSezvL J+vxGXtJcLRQo6NOOF+r/ZB+7Z/Ew14jp6Y7tcePrJ9ekLOBlGMGkJIpcy/9CFXh86kZ uJoppB2ePYWsrWIG75NeiVSaKUYdRpoR33c5JI6YlRBjmaXYefPE4LYAhNlBTtt9RmYp TitA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=iwvFF46/7+gW82As8qzTKaOAJqB0Pe9GkSWO9/Fnfow=; b=d2Eq5orJvovdSvqpBqzGt19ZPk1/szqMn5U5e9eFXJ+LanCeCKxLlv+9GnmLJNH8uV K+lYkByTbQQGcKgFOmG6+5KK1Jw0LjGvtfPsIj/rtoZtO4t/GaXDD/9SSwKF6JijHLVL dgAhq8ifaZ2HGj51eV5SByrmsf/GKDz5bNxoNd5iKFHTyH/AQ9y/AMOj4dCUjggQOosy gY/Yte/3+ZEXQzGBAdJI39bP39PTTUbVRFdLJc6Ddf7huJdB8hbDFQ95jjrVDl4OxY/f zzeWzPKL97wMsSBKXLpvFnJX87Cru7zs7Us+e7S7HjoiAigbGb3LHgfYyvPvQ9E3Asyz ZH7g== X-Gm-Message-State: ABuFfohTWdiaQwAFLBQnoenx9JfBDvUjzMfuazf6Shm67md58eb+OgQ9 Ybs+FTQ4/FkyNUj5mtkyzl1/nZvf7zfB6JC4N5jkzpyXyP0kuxpSyNxYWJJA8b/TURB4lR60GdM xps13zaoRHws5Jqy3pxFP X-Received: by 2002:a24:d2c4:: with SMTP id z187-v6mr4273010itf.9.1539988199282; Fri, 19 Oct 2018 15:29:59 -0700 (PDT) X-Google-Smtp-Source: ACcGV62umbrEOzOhP5mW/xuHTEyVeDLtbAvibY0BHOOys8tKZLe0yThAamSlwHbSmnqA5ANMbhgaWQ== X-Received: by 2002:a24:d2c4:: with SMTP id z187-v6mr4273002itf.9.1539988199102; Fri, 19 Oct 2018 15:29:59 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id 82-v6sm1691384ita.17.2018.10.19.15.29.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 19 Oct 2018 15:29:58 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Alexei Starovoitov , Daniel Borkmann , netdev@vger.kernel.org (open list:BPF (Safe dynamic programs and tools)), linux-kernel@vger.kernel.org (open list:BPF (Safe dynamic programs and tools)) Subject: [PATCH] bpf: btf: Fix a missing-check bug Date: Fri, 19 Oct 2018 17:29:51 -0500 Message-Id: <1539988191-13973-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In btf_parse(), the header of the user-space btf data 'btf_data' is firstly parsed and verified through btf_parse_hdr(). In btf_parse_hdr(), the header is copied from user-space 'btf_data' to kernel-space 'btf->hdr' and then verified. If no error happens during the verification process, the whole data of 'btf_data', including the header, is then copied to 'data' in btf_parse(). It is obvious that the header is copied twice here. More importantly, no check is enforced after the second copy to make sure the headers obtained in these two copies are same. Given that 'btf_data' resides in the user space, a malicious user can race to modify the header between these two copies. By doing so, the user can inject inconsistent data, which can cause undefined behavior of the kernel and introduce potential security risk. To avoid the above issue, this patch rewrites the header after the second copy, using 'btf->hdr', which is obtained in the first copy. Signed-off-by: Wenwen Wang Acked-by: Martin KaFai Lau --- kernel/bpf/btf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 138f030..2a85f91 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -2202,6 +2202,9 @@ static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size, goto errout; } + memcpy(data, &btf->hdr, + min_t(u32, btf->hdr.hdr_len, sizeof(btf->hdr))); + err = btf_parse_str_sec(env); if (err) goto errout;