lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <59D69FAB.1020605@iogearbox.net>
Date:   Thu, 05 Oct 2017 23:10:03 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Jakub Kicinski <jakub.kicinski@...ronome.com>,
        netdev@...r.kernel.org
CC:     alexei.starovoitov@...il.com, oss-drivers@...ronome.com
Subject: Re: [PATCH net-next 5/5] bpf: write back the verifier log buffer
 as it gets filled

On 10/05/2017 05:34 PM, Jakub Kicinski wrote:
> Verifier log buffer can be quite large (up to 16MB currently).
> As Eric Dumazet points out if we allow multiple verification
> requests to proceed simultaneously, malicious user may use the
> verifier as a way of allocating large amounts of unswappable
> memory to OOM the host.
>
> Switch to a strategy of allocating a smaller buffer (a page)
> and writing it out into the user buffer whenever it fills up.
> To simplify the code assume that prints will never be longer
> than 1024 bytes.
>
> This is in preparation of the global verifier lock removal.
>
> Signed-off-by: Jakub Kicinski <jakub.kicinski@...ronome.com>
> Reviewed-by: Simon Horman <simon.horman@...ronome.com>

Set looks good in general, thanks for working on this! Just two
comments further below.

> ---
>   include/linux/bpf_verifier.h |  7 +++--
>   kernel/bpf/verifier.c        | 64 +++++++++++++++++++++++++++++++-------------
>   2 files changed, 50 insertions(+), 21 deletions(-)
>
> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
> index 598802dd1897..c0f0e210c3f8 100644
> --- a/include/linux/bpf_verifier.h
> +++ b/include/linux/bpf_verifier.h
> @@ -140,10 +140,13 @@ struct bpf_verifier_env {
>   	bool seen_direct_write;
>   	struct bpf_insn_aux_data *insn_aux_data; /* array of per-insn state */
>
> -	u32 log_level;
> +	char __user *log_ubuf;
> +	u32 log_usize;
> +	u32 log_ulen;
> +	char *log_buf;
>   	u32 log_size;
>   	u32 log_len;
> -	char *log_buf;
> +	u32 log_level;

Small request: given we'd now have log_{level,ubuf,usize,ulen,buf,size,len}
in struct bpf_verifier_env, could we abstract that a bit e.g. into something
like struct bpf_verifier_log, which has level and kbuf and ubuf as members
of which {k,u}buf would be something like struct bpf_verifier_buf with three
members (mem or buf, len_total, len_used) or such. I think most of patch 1
is on passing env into verbose, so likely wouldn't be too much change required
for this, but would be nice to make that a bit more structured if we need to
touch it anyway.

>   };
>
[...]
>
>   		ret = -ENOMEM;
> -		env->log_buf = vmalloc(env->log_size);
> +		env->log_buf = page_address(alloc_page(GFP_USER));

alloc_page() can return NULL, if I spot this correctly, then page_address()
cannot handle NULL and would try to deref it, no? Am I missing something?

>   		if (!env->log_buf)
>   			goto err_unlock;
> +		env->log_size = PAGE_SIZE;
>   	}
[...]

Thanks,
Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ