lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 26 Sep 2022 17:44:27 +0200
From:   Roberto Sassu <roberto.sassu@...weicloud.com>
To:     ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
        martin.lau@...ux.dev, song@...nel.org, yhs@...com,
        john.fastabend@...il.com, kpsingh@...nel.org, sdf@...gle.com,
        haoluo@...gle.com, jolsa@...nel.org, mykolal@...com,
        shuah@...nel.org, oss@....io
Cc:     bpf@...r.kernel.org, linux-kselftest@...r.kernel.org,
        linux-kernel@...r.kernel.org, fengc@...gle.com, davem@...emloft.net
Subject: [RFC][PATCH 0/3] bpf: Enforce map fd modes in verifier

From: Roberto Sassu <roberto.sassu@...wei.com>

===
All credits of this patch set go to Lorenz Bauer <oss@....io>, as he
identified this issue and proposed a number of solutions.
===

Lorenz presented at the Linux Plumbers EU 2022 a talk with title 'Closing
the BPF map permission loophole', where he reported that read-only fds can
be used for map update operations, if they were provided to eBPF programs.

This work initially started as PoC to reproduce the reported bug, and
became the test for validating an idea on how to fix the bug.

Patch 1 adds a dependency necessary for the tests.

The actual fix, in patch 2, is relatively simple. It is based on an already
existing enforcement mechanism in the eBPF verifier for map flags. As
Lorenz mentioned, a problem would be backporting this fix to stable kernels
which don't have that enforcement mechanism. However, backporting just the
enforcement mechanism itself (without introducing the new map flags and
allowing user space to use them) could meet the stable kernel criteria.

Alternatively, a completely different fix can be developed for older stable
kernels, like what Lorenz suggested, to refuse fds which are not
read/write.

Finally, patch 3 introduces the tests.

Roberto Sassu (3):
  libbpf: Define bpf_get_fd_opts and introduce
    bpf_map_get_fd_by_id_opts()
  bpf: Enforce granted permissions in a map fd at verifier level
  selftests/bpf: Test enforcement of map fd permissions at verifier
    level

 include/linux/bpf.h                           |  13 +
 include/linux/bpf_verifier.h                  |   1 +
 kernel/bpf/verifier.c                         |  26 +-
 tools/lib/bpf/bpf.c                           |  12 +-
 tools/lib/bpf/bpf.h                           |  10 +
 tools/lib/bpf/libbpf.map                      |   3 +-
 .../selftests/bpf/prog_tests/map_fd_perm.c    | 227 ++++++++++++++++++
 7 files changed, 288 insertions(+), 4 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/map_fd_perm.c

-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ