| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrXnqoPD8X1R6v4vZZatrA=fJdn6NTs-zaNqd6Qc4qMJNQ@mail.gmail.com>
Date: Tue, 8 Nov 2016 17:04:53 -0800
From: Andy Lutomirski <luto@...capital.net>
To: Jann Horn <jannh@...gle.com>
Cc: Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Josef Bacik <jbacik@...com>,
"security@...nel.org" <security@...nel.org>,
Network Development <netdev@...r.kernel.org>
Subject: Re: 484611357c19 introduces arbitrary kernel write bug (root-only)
On Tue, Nov 8, 2016 at 4:23 PM, Jann Horn <jannh@...gle.com> wrote:
> In 484611357c19 (not in any stable kernel yet), functionality is
> introduced that allows root (and afaics nobody else, since nobody else
> is allowed to perform pointer arithmetic) to basically write to (and
> read from) arbitrary kernel memory. There are multiple bugs in the
> validation logic:
>
I was curious, so I gave the code a quick read. I also see:
+ /* PTR_TO_MAP_VALUE_ADJ is used for doing pointer math inside of a map
+ * elem value. We only allow this if we can statically verify that
+ * access from this register are going to fall within the size of the
+ * map element.
+ */
+ PTR_TO_MAP_VALUE_ADJ,
shouldn't this document what logical type this is? Is it a pointer?
Is it an offset? (It seems to be checked as though it's a pointer
with a max offset of "max_value", which makes very little sense to
me.)
regs[i].min_value = BPF_REGISTER_MIN_RANGE;
where min_value is a u64 and BPF_REGISTER_MIN_RANGE is negative.
Shouldn't those be s64?
init_reg_state() duplicates reset_reg_range_values().
That's all I've read so far.
Powered by blists - more mailing lists