lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMEtUuxLbDpkxJ4fORRdsJ36vBiidBwA0SVAwvmDHEpPmhTA2Q@mail.gmail.com>
Date:	Tue, 13 May 2014 13:34:08 -0700
From:	Alexei Starovoitov <ast@...mgrid.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	Daniel Borkmann <dborkman@...hat.com>,
	Heiko Carstens <heiko.carstens@...ibm.com>,
	Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH net] net: filter: x86: fix JIT address randomization

On Tue, May 13, 2014 at 1:23 PM, Eric Dumazet <eric.dumazet@...il.com> wrote:
> On Tue, 2014-05-13 at 11:53 -0700, Alexei Starovoitov wrote:
>> bpf_alloc_binary() adds 128 bytes of room to JITed program image
>> and rounds it up to the nearest page size. If image size is close
>> to page size (like 4000), it is rounded to two pages:
>> round_up(4000 + 4 + 128) == 8192
>> then 'hole' is computed as 8192 - (4000 + 4) = 4188
>> If prandom_u32() % hole selects a number >= 4096, then kernel will crash
>> during bpf_jit_free():
>>
>> kernel BUG at arch/x86/mm/pageattr.c:887!
>> Call Trace:
>>  [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
>>  [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
>>  [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
>>  [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
>>  [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
>>  [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
>>  [<ffffffff8106c90c>] worker_thread+0x11c/0x370
>>
>> since bpf_jit_free() does:
>>   unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
>>   struct bpf_binary_header *header = (void *)addr;
>> to compute start address of 'bpf_binary_header'
>> and header->pages will pass junk to:
>>   set_memory_rw(addr, header->pages);
>>
>> Fix it by picking image offset always out of the first page.
>
> You mean, offset should be in first page ?

yes.
&header->image[prandom_u32() % hole]
should in the same page as
&header

>>
>> While at it make the offset to be within first half of the page,
>> so there is some room for CPU to run before it hits page miss.
>>
>> Fixes: 314beb9bcabfd ("x86: bpf_jit_comp: secure bpf jit against spraying attacks")
>> Signed-off-by: Alexei Starovoitov <ast@...mgrid.com>
>> ---
>>
>> s390 commit aa2d2c73c21f ("s390/bpf,jit: address randomize and write protect jit code")
>> seems to have the same problem
>>
>>  arch/x86/net/bpf_jit_comp.c |    2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
>> index dc01773..c6ab7a0 100644
>> --- a/arch/x86/net/bpf_jit_comp.c
>> +++ b/arch/x86/net/bpf_jit_comp.c
>> @@ -171,7 +171,7 @@ static struct bpf_binary_header *bpf_alloc_binary(unsigned int proglen,
>>       memset(header, 0xcc, sz); /* fill whole space with int3 instructions */
>>
>>       header->pages = sz / PAGE_SIZE;
>> -     hole = sz - (proglen + sizeof(*header));
>> +     hole = min(sz - (proglen + sizeof(*header)), PAGE_SIZE / 2);
>>
>>       /* insert a random number of int3 instructions before BPF code */
>>       *image_ptr = &header->image[prandom_u32() % hole];
>
> Good catch, but I am not sure about the PAGE_SIZE / 2
>
> The argument of not having code ending on (or being very close of) page
> boundary seems orthogonal to this bug fix.

Gotta pick some number... page/2 seems good enough to have
large range for prandom() to choose and better performance.
Another alternative is to do min(…, PAGE_SIZE - sizeof(*header)),
but that is harder to understand.

Also just realized that I miscalculated the breaking point:
"If prandom_u32() % hole selects a number >= 4096, then kernel will crash"
it should read: "… >= 4092 ..."
since sizeof(*header) needs to be accounted for.

> Thanks
>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ