lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <43d7dc08-1c02-cb8c-40bd-14b715e31bba@iogearbox.net>
Date:   Thu, 28 Dec 2017 00:07:09 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Jann Horn <jannh@...gle.com>, Alexei Starovoitov <ast@...nel.org>
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] bpf: selftest for late caller stack size increase

On 12/22/2017 07:12 PM, Jann Horn wrote:
> This checks that it is not possible to bypass the total stack size check in
> update_stack_depth() by calling a function that uses a large amount of
> stack memory *before* using a large amount of stack memory in the caller.
> 
> Currently, the first added testcase causes a rejection as expected, but
> the second testcase is (AFAICS incorrectly) accepted:
> 
> [...]
> #483/p calls: stack overflow using two frames (post-call access) FAIL
> Unexpected success to load!
> 0: (85) call pc+2
> caller:
>  R10=fp0,call_-1
> callee:
>  frame1: R1=ctx(id=0,off=0,imm=0) R10=fp0,call_0
> 3: (72) *(u8 *)(r10 -300) = 0
> 4: (b7) r0 = 0
> 5: (95) exit
> returning from callee:
>  frame1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0,call_0
> to caller at 1:
>  R0_w=inv0 R10=fp0,call_-1
> 
> from 5 to 1: R0=inv0 R10=fp0,call_-1
> 1: (72) *(u8 *)(r10 -300) = 0
> 2: (95) exit
> processed 6 insns, stack depth 300+300
> [...]
> Summary: 704 PASSED, 1 FAILED
> 
> AFAICS the JIT-generated code for the second testcase shows that this
> really causes the stack pointer to be decremented by 300+300:
> 
> first function:
> 00000000  55                push rbp
> 00000001  4889E5            mov rbp,rsp
> 00000004  4881EC58010000    sub rsp,0x158
> 0000000B  4883ED28          sub rbp,byte +0x28
> [...]
> 00000025  E89AB3AFE5        call 0xffffffffe5afb3c4
> 0000002A  C685D4FEFFFF00    mov byte [rbp-0x12c],0x0
> [...]
> 00000041  4883C528          add rbp,byte +0x28
> 00000045  C9                leave
> 00000046  C3                ret
> 
> second function:
> 00000000  55                push rbp
> 00000001  4889E5            mov rbp,rsp
> 00000004  4881EC58010000    sub rsp,0x158
> 0000000B  4883ED28          sub rbp,byte +0x28
> [...]
> 00000025  C685D4FEFFFF00    mov byte [rbp-0x12c],0x0
> [...]
> 0000003E  4883C528          add rbp,byte +0x28
> 00000042  C9                leave
> 00000043  C3                ret
> 
> Signed-off-by: Jann Horn <jannh@...gle.com>

Applied to bpf-next, thanks a lot Jann!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ