lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <552E8CC8.9070403@plumgrid.com>
Date:	Wed, 15 Apr 2015 09:07:36 -0700
From:	Alexei Starovoitov <ast@...mgrid.com>
To:	Hannes Frederic Sowa <hannes@...essinduktion.org>
CC:	"David S. Miller" <davem@...emloft.net>,
	Daniel Borkmann <daniel@...earbox.net>, netdev@...r.kernel.org
Subject: Re: [PATCH net] bpf: fix verifier memory corruption

On 4/15/15 8:59 AM, Hannes Frederic Sowa wrote:
> On Di, 2015-04-14 at 15:57 -0700, Alexei Starovoitov wrote:
>> Due to missing bounds check the DAG pass of the BPF verifier can corrupt
>> the memory which can cause random crashes during program loading:
>>
>> [8.449451] BUG: unable to handle kernel paging request at ffffffffffffffff
>> [8.451293] IP: [<ffffffff811de33d>] kmem_cache_alloc_trace+0x8d/0x2f0
>> [8.452329] Oops: 0000 [#1] SMP
>> [8.452329] Call Trace:
>> [8.452329]  [<ffffffff8116cc82>] bpf_check+0x852/0x2000
>> [8.452329]  [<ffffffff8116b7e4>] bpf_prog_load+0x1e4/0x310
>> [8.452329]  [<ffffffff811b190f>] ? might_fault+0x5f/0xb0
>> [8.452329]  [<ffffffff8116c206>] SyS_bpf+0x806/0xa30
>>
>> Fixes: f1bca824dabb ("bpf: add search pruning optimization to verifier")
>> Signed-off-by: Alexei Starovoitov <ast@...mgrid.com>
>> ---
>> Many things need to align for this crash to be seen, yet I managed to hit it.
>> In my case JA was last insn, 't' was 255 and explored_states array
>> had 256 elements. I've double checked other similar paths and all seems clean.
>>
>>   kernel/bpf/verifier.c |    3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index a28e09c7825d..36508e69e92a 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -1380,7 +1380,8 @@ peek_stack:
>>   			/* tell verifier to check for equivalent states
>>   			 * after every call and jump
>>   			 */
>> -			env->explored_states[t + 1] = STATE_LIST_MARK;
>> +			if (t + 1 < insn_cnt)
>> +				env->explored_states[t + 1] = STATE_LIST_MARK;
>>   		} else {
>>   			/* conditional jump with two edges */
>>   			ret = push_insn(t, t + 1, FALLTHROUGH, env);
>
> Quick review:
>
> We have env->explored_states[t+1] access in the
>
>                  } else {
>                          /* conditional jump with two edges */
>                          ret = push_insn(t, t + 1, FALLTHROUGH, env);
>                          if (ret == 1)
>                                  goto peek_stack;
>                          else if (ret < 0)
>                                  goto err_free;
>
>>>>                      ret = push_insn(t, t + insns[t].off + 1, BRANCH, env);
>                          if (ret == 1)
>                                  goto peek_stack;
>                          else if (ret < 0)
>                                  goto err_free;
>                  }
>          } else {
>
>
> push_insn call. At this point insn[t].off could be 0, no?

insn[t].off can be anything, but the first thing that push_insn()
checks is:
if (w < 0 || w >= env->prog->len)
only then it does:
env->explored_states[w] = STATE_LIST_MARK;
so we're good there.
Though thanks for triple checking :)

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ