lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 11 Mar 2024 11:01:52 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Eduard Zingerman <eddyz87@...il.com>
Cc: Edward Adam Davis <eadavis@...com>, syzbot+cc32304f6487ebff9b70@...kaller.appspotmail.com, 
	andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net, 
	haoluo@...gle.com, john.fastabend@...il.com, jolsa@...nel.org, 
	kpsingh@...nel.org, linux-kernel@...r.kernel.org, martin.lau@...ux.dev, 
	netdev@...r.kernel.org, sdf@...gle.com, song@...nel.org, 
	syzkaller-bugs@...glegroups.com, yonghong.song@...ux.dev
Subject: Re: [PATCH bpf-next] bpf: fix oob in btf_name_valid_section

On Mon, Mar 11, 2024 at 7:48 AM Eduard Zingerman <eddyz87@...il.com> wrote:
>
> On Mon, 2024-03-11 at 21:16 +0800, Edward Adam Davis wrote:
> > Check the first char of the BTF DATASEC names.
> >
> > Fixes: bd70a8fb7ca4 ("bpf: Allow all printable characters in BTF DATASEC names")
> > Reported-and-tested-by: syzbot+cc32304f6487ebff9b70@...kaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <eadavis@...com>
> > ---
> >  kernel/bpf/btf.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> > index 170d017e8e4a..dda0aa0d7175 100644
> > --- a/kernel/bpf/btf.c
> > +++ b/kernel/bpf/btf.c
> > @@ -816,6 +816,8 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
> >       const char *src = btf_str_by_offset(btf, offset);
> >       const char *src_limit;
> >
> > +     if (!isprint(*src))
> > +             return false;
> >       /* set a limit on identifier length */
> >       src_limit = src + KSYM_NAME_LEN;
> >       src++;
>
> Hi Edward,
>
> Thank you for fixing this.
> I wonder, maybe something like below would be simpler?
>
> Thanks,
> Eduard
>
> ---
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 170d017e8e4a..3d95d5398c8a 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -818,7 +818,6 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
>
>         /* set a limit on identifier length */
>         src_limit = src + KSYM_NAME_LEN;
> -       src++;

ah, __btf_name_valid() has a separate __btf_name_char_ok(*src, true)
check and then skips first character :(

What Eduard proposes makes sense, we shouldn't advance src before the loop.

Eduard, I'd also say we should make __btf_name_valid() a bit more
uniform by dropping that first if and then doing

if (!__btf_name_char_ok(*src, src == src_orig))
    return false;

where we just remember original string pointer in src_orig.

WDYT?


>         while (*src && src < src_limit) {
>                 if (!isprint(*src))
>                         return false;
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ