| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43898.1539033428@turing-police.cc.vt.edu>
Date: Mon, 08 Oct 2018 17:17:08 -0400
From: valdis.kletnieks@...edu
To: Song Liu <liu.song.a23@...il.com>
Cc: wang6495@....edu, kjlu@....edu,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Networking <netdev@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] bpf: btf: Fix a missing check bug
On Mon, 08 Oct 2018 13:51:09 -0700, Song Liu said:
> On Sun, Oct 7, 2018 at 1:26 PM Wenwen Wang <wang6495@....edu> wrote:
> > same value. Given that the btf data is in the user space, a malicious user
> > can race to change the data between the two copies. By doing so, the user
> > can provide malicious data to the kernel and cause undefined behavior.
> These two numbers are copied from same memory location, right? So I
> think this check is not necessary?
Security researchers call this a TOCTOU bug - Time of Check - Time of Use.
What can happen:
1) We fetch the value (say we get 90) from userspace and stash it in hdr_len.
2) We do some other stuff like check the hdr_len isn't too big, etc..
meanwhile, on another CPU running another thread of the process...
3) malicious code stuffs a 117 into that field
4) We fetch the entire header, incliding a now-changed hdr_len (now 117) and
stick it in btf->hdr->hdr_len.
5) Any code that assumes that hdr_len and btf->hdr->hdr_len are the same value
explodes in interesting ways.
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists