| Message ID | 20210218193937.29184-2-cascardo@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | CVE-2021-20194 | expand |
On 18/02/2021 19:39, Thadeu Lima de Souza Cascardo wrote: > From: Loris Reiff <loris.reiff@liblor.ch> > > A toctou issue in `__cgroup_bpf_run_filter_getsockopt` can trigger a > WARN_ON_ONCE in a check of `copy_from_user`. > > `*optlen` is checked to be non-negative in the individual getsockopt > functions beforehand. Changing `*optlen` in a race to a negative value > will result in a `copy_from_user(ctx.optval, optval, ctx.optlen)` with > `ctx.optlen` being a negative integer. > > Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") > Signed-off-by: Loris Reiff <loris.reiff@liblor.ch> > Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> > Reviewed-by: Stanislav Fomichev <sdf@google.com> > Link: https://lore.kernel.org/bpf/20210122164232.61770-1-loris.reiff@liblor.ch > (cherry picked from commit bb8b81e396f7afbe7c50d789e2107512274d2a35) > CVE-2021-20194 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > kernel/bpf/cgroup.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c > index ac53102e244a..7bae3686603e 100644 > --- a/kernel/bpf/cgroup.c > +++ b/kernel/bpf/cgroup.c > @@ -1417,6 +1417,11 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level, > goto out; > } > > + if (ctx.optlen < 0) { > + ret = -EFAULT; > + goto out; > + } > + > if (copy_from_user(ctx.optval, optval, > min(ctx.optlen, max_optlen)) != 0) { > ret = -EFAULT; > Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index ac53102e244a..7bae3686603e 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -1417,6 +1417,11 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level, goto out; } + if (ctx.optlen < 0) { + ret = -EFAULT; + goto out; + } + if (copy_from_user(ctx.optval, optval, min(ctx.optlen, max_optlen)) != 0) { ret = -EFAULT;