| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 May 2018 16:09:12 -0700 From: Alexei Starovoitov <alexei.starovoitov@...il.com> To: Daniel Borkmann <daniel@...earbox.net> Cc: netdev@...r.kernel.org Subject: Re: [PATCH bpf] bpf: fix truncated jump targets on heavy expansions On Thu, May 17, 2018 at 01:44:11AM +0200, Daniel Borkmann wrote: > Recently during testing, I ran into the following panic: > > Therefore it becomes necessary to detect and reject any such occasions > in a generic way for native eBPF and cBPF to eBPF migrations. For > the latter we can simply check bounds in the bpf_convert_filter()'s > BPF_EMIT_JMP helper macro and bail out once we surpass limits. The > bpf_patch_insn_single() for native eBPF (and cBPF to eBPF in case > of subsequent hardening) is a bit more complex in that we need to > detect such truncations before hitting the bpf_prog_realloc(). Thus > the latter is split into an extra pass to probe problematic offsets > on the original program in order to fail early. With that in place > and carefully tested I no longer hit the panic and the rewrites are > rejected properly. The above example panic I've seen on bpf-next, > though the issue itself is generic in that a guard against this issue > in bpf seems more appropriate in this case. > > Signed-off-by: Daniel Borkmann <daniel@...earbox.net> Nice catch! Applied.
Powered by blists - more mailing lists