lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Nov 2016 17:04:53 -0800 From: Andy Lutomirski <luto@...capital.net> To: Jann Horn <jannh@...gle.com> Cc: Daniel Borkmann <daniel@...earbox.net>, Alexei Starovoitov <ast@...nel.org>, "David S. Miller" <davem@...emloft.net>, Josef Bacik <jbacik@...com>, "security@...nel.org" <security@...nel.org>, Network Development <netdev@...r.kernel.org> Subject: Re: 484611357c19 introduces arbitrary kernel write bug (root-only) On Tue, Nov 8, 2016 at 4:23 PM, Jann Horn <jannh@...gle.com> wrote: > In 484611357c19 (not in any stable kernel yet), functionality is > introduced that allows root (and afaics nobody else, since nobody else > is allowed to perform pointer arithmetic) to basically write to (and > read from) arbitrary kernel memory. There are multiple bugs in the > validation logic: > I was curious, so I gave the code a quick read. I also see: + /* PTR_TO_MAP_VALUE_ADJ is used for doing pointer math inside of a map + * elem value. We only allow this if we can statically verify that + * access from this register are going to fall within the size of the + * map element. + */ + PTR_TO_MAP_VALUE_ADJ, shouldn't this document what logical type this is? Is it a pointer? Is it an offset? (It seems to be checked as though it's a pointer with a max offset of "max_value", which makes very little sense to me.) regs[i].min_value = BPF_REGISTER_MIN_RANGE; where min_value is a u64 and BPF_REGISTER_MIN_RANGE is negative. Shouldn't those be s64? init_reg_state() duplicates reset_reg_range_values(). That's all I've read so far.
Powered by blists - more mailing lists