| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Apr 2024 19:55:52 -0700 From: Alexei Starovoitov <alexei.starovoitov@...il.com> To: Benjamin Tissoires <bentiss@...nel.org> Cc: Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>, John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...gle.com>, Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>, Mykola Lysenko <mykolal@...com>, Shuah Khan <shuah@...nel.org>, bpf <bpf@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, "open list:KERNEL SELFTEST FRAMEWORK" <linux-kselftest@...r.kernel.org> Subject: Re: [PATCH bpf-next v2 11/16] bpf: wq: add bpf_wq_init On Sat, Apr 20, 2024 at 2:10 AM Benjamin Tissoires <bentiss@...nel.org> wrote: > > We need to teach the verifier about the second argument which is declared > as void * but which is of type KF_ARG_PTR_TO_MAP. We could have dropped > this extra case if we declared the second argument as struct bpf_map *, > but that means users will have to do extra casting to have their program > compile. > > We also need to duplicate the timer code for the checking if the map > argument is matching the provided workqueue. > > Signed-off-by: Benjamin Tissoires <bentiss@...nel.org> > > --- > > FWIW, I still have one concern with this implementation: > - bpf_wq_work() access ->prog without protection, but I think this might > be racing with bpf_wq_set_callback(): if we have the following: > > CPU 0 CPU 1 > bpf_wq_set_callback() > bpf_start() > bpf_wq_work(): > prog = cb->prog; > > bpf_wq_set_callback() > cb->prog = prog; > bpf_prog_put(prev) > rcu_assign_ptr(cb->callback_fn, > callback_fn); > callback = READ_ONCE(w->cb.callback_fn); > > As I understand callback_fn is fine, prog might be, but we clearly > have an inconstency between "prog" and "callback_fn" as they can come > from 2 different bpf_wq_set_callback() calls. > > IMO we should protect this by the async->lock, but I'm not sure if > it's OK or not. I see the concern, but I think it's overkill. Here 'prog' is used to pass it into __bpf_prog_enter_sleepable_recur() to keep the standard pattern of calling into sleepable prog. But it won't recurse. We can open code migrate_disable,etc from there except this_cpu_inc_return, but it's an overkill. The passed 'prog' is irrelevant. If somebody tries really hard by having two progs sharing the same map with bpf_wq and racing to set_callback... I can see how prog won't match callback, but it won't make a difference. prog is not going trigger recursion check (unless somebody tries is obsessed) and not going to UAF. I imagine it's possible to attach somewhere in core wq callback invocation path with fentry, set_callback to the same prog, and technically it's kinda sorta recursion, but different subprogs, so not a safety issue. The code as-is is fine. imo.
Powered by blists - more mailing lists