| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Apr 2021 01:55:42 +0200
From: Florent Revest <revest@...omium.org>
To: bpf@...r.kernel.org
Cc: ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
kpsingh@...nel.org, jackmanb@...gle.com,
linux-kernel@...r.kernel.org, Florent Revest <revest@...omium.org>
Subject: [PATCH bpf-next 1/2] bpf: Notify user if we ever hit a bpf_snprintf verifier bug
In check_bpf_snprintf_call(), a map_direct_value_addr() of the fmt map
should never fail because it has already been checked by
ARG_PTR_TO_CONST_STR. But if it ever fails, it's better to error out
with an explicit debug message rather than silently fail.
Signed-off-by: Florent Revest <revest@...omium.org>
Reported-by: Alexei Starovoitov <ast@...nel.org>
---
kernel/bpf/verifier.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 58730872f7e5..59799a9b014a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5940,8 +5940,10 @@ static int check_bpf_snprintf_call(struct bpf_verifier_env *env,
fmt_map_off = fmt_reg->off + fmt_reg->var_off.value;
err = fmt_map->ops->map_direct_value_addr(fmt_map, &fmt_addr,
fmt_map_off);
- if (err)
- return err;
+ if (err) {
+ verbose(env, "verifier bug\n");
+ return -EFAULT;
+ }
fmt = (char *)(long)fmt_addr + fmt_map_off;
/* We are also guaranteed that fmt+fmt_map_off is NULL terminated, we
--
2.31.1.498.g6c1eba8ee3d-goog
Powered by blists - more mailing lists