| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Apr 2015 18:12:49 +0200
From: Hannes Frederic Sowa <hannes@...essinduktion.org>
To: Alexei Starovoitov <ast@...mgrid.com>
Cc: "David S. Miller" <davem@...emloft.net>,
Daniel Borkmann <daniel@...earbox.net>, netdev@...r.kernel.org
Subject: Re: [PATCH net] bpf: fix verifier memory corruption
On Wed, Apr 15, 2015, at 18:07, Alexei Starovoitov wrote:
> On 4/15/15 8:59 AM, Hannes Frederic Sowa wrote:
> > On Di, 2015-04-14 at 15:57 -0700, Alexei Starovoitov wrote:
> >> Due to missing bounds check the DAG pass of the BPF verifier can corrupt
> >> the memory which can cause random crashes during program loading:
> >>
> >> [8.449451] BUG: unable to handle kernel paging request at ffffffffffffffff
> >> [8.451293] IP: [<ffffffff811de33d>] kmem_cache_alloc_trace+0x8d/0x2f0
> >> [8.452329] Oops: 0000 [#1] SMP
> >> [8.452329] Call Trace:
> >> [8.452329] [<ffffffff8116cc82>] bpf_check+0x852/0x2000
> >> [8.452329] [<ffffffff8116b7e4>] bpf_prog_load+0x1e4/0x310
> >> [8.452329] [<ffffffff811b190f>] ? might_fault+0x5f/0xb0
> >> [8.452329] [<ffffffff8116c206>] SyS_bpf+0x806/0xa30
> >>
> >> Fixes: f1bca824dabb ("bpf: add search pruning optimization to verifier")
> >> Signed-off-by: Alexei Starovoitov <ast@...mgrid.com>
> >> ---
> >> Many things need to align for this crash to be seen, yet I managed to hit it.
> >> In my case JA was last insn, 't' was 255 and explored_states array
> >> had 256 elements. I've double checked other similar paths and all seems clean.
> >>
> >> kernel/bpf/verifier.c | 3 ++-
> >> 1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> >> index a28e09c7825d..36508e69e92a 100644
> >> --- a/kernel/bpf/verifier.c
> >> +++ b/kernel/bpf/verifier.c
> >> @@ -1380,7 +1380,8 @@ peek_stack:
> >> /* tell verifier to check for equivalent states
> >> * after every call and jump
> >> */
> >> - env->explored_states[t + 1] = STATE_LIST_MARK;
> >> + if (t + 1 < insn_cnt)
> >> + env->explored_states[t + 1] = STATE_LIST_MARK;
> >> } else {
> >> /* conditional jump with two edges */
> >> ret = push_insn(t, t + 1, FALLTHROUGH, env);
> >
> > Quick review:
> >
> > We have env->explored_states[t+1] access in the
> >
> > } else {
> > /* conditional jump with two edges */
> > ret = push_insn(t, t + 1, FALLTHROUGH, env);
> > if (ret == 1)
> > goto peek_stack;
> > else if (ret < 0)
> > goto err_free;
> >
> >>>> ret = push_insn(t, t + insns[t].off + 1, BRANCH, env);
> > if (ret == 1)
> > goto peek_stack;
> > else if (ret < 0)
> > goto err_free;
> > }
> > } else {
> >
> >
> > push_insn call. At this point insn[t].off could be 0, no?
>
> insn[t].off can be anything, but the first thing that push_insn()
> checks is:
> if (w < 0 || w >= env->prog->len)
> only then it does:
> env->explored_states[w] = STATE_LIST_MARK;
> so we're good there.
> Though thanks for triple checking :)
Sorry, yes. That check was too obvious to me. ;)
Acked-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
Bye,
Hannes
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists