lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 29 Jul 2017 16:18:45 +0800
From:   Martin KaFai Lau <iamkafai@...il.com>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     davem@...emloft.net, kafai@...com, alexei.starovoitov@...il.com,
        netdev@...r.kernel.org
Subject: Re: [PATCH net] bpf: fix bpf_prog_get_info_by_fd to dump correct xlated_prog_len

On Fri, Jul 28, 2017 at 11:05 PM, Daniel Borkmann <daniel@...earbox.net> wrote:
> bpf_prog_size(prog->len) is not the correct length we want to dump
> back to user space. The code in bpf_prog_get_info_by_fd() uses this
> to copy prog->insnsi to user space, but bpf_prog_size(prog->len) also
> includes the size of struct bpf_prog itself plus program instructions
> and is usually used either in context of accounting or for bpf_prog_alloc()
> et al, thus we copy out of bounds in bpf_prog_get_info_by_fd()
> potentially. Use the correct bpf_prog_insn_size() instead.
Acked-by: Martin KaFai Lau <kafai@...com>

>
> Fixes: 1e2709769086 ("bpf: Add BPF_OBJ_GET_INFO_BY_FD")
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> ---
>  kernel/bpf/syscall.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 84bb399..6c772ad 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -1312,7 +1312,7 @@ static int bpf_prog_get_info_by_fd(struct bpf_prog *prog,
>         }
>
>         ulen = info.xlated_prog_len;
> -       info.xlated_prog_len = bpf_prog_size(prog->len);
> +       info.xlated_prog_len = bpf_prog_insn_size(prog);
>         if (info.xlated_prog_len && ulen) {
>                 uinsns = u64_to_user_ptr(info.xlated_prog_insns);
>                 ulen = min_t(u32, info.xlated_prog_len, ulen);
> --
> 1.9.3
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ