| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <59E51BA3.8040106@iogearbox.net>
Date: Mon, 16 Oct 2017 22:50:43 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Richard Weinberger <richard@....at>, netdev@...r.kernel.org
CC: linux-kernel@...r.kernel.org, ast@...nel.org
Subject: Re: [PATCH 3/3] bpf: Make sure that ->comm does not change under
us.
On 10/16/2017 08:18 PM, Richard Weinberger wrote:
> Sadly we cannot use get_task_comm() since bpf_get_current_comm()
> allows truncation.
>
> Signed-off-by: Richard Weinberger <richard@....at>
> ---
> kernel/bpf/helpers.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 511c9d522cfc..4b042b24524d 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -18,6 +18,7 @@
> #include <linux/sched.h>
> #include <linux/uidgid.h>
> #include <linux/filter.h>
> +#include <linux/sched/task.h>
>
> /* If kernel subsystem is allowing eBPF programs to call this function,
> * inside its own verifier_ops->get_func_proto() callback it should return
> @@ -149,7 +150,9 @@ BPF_CALL_2(bpf_get_current_comm, char *, buf, u32, size)
> {
> struct task_struct *task = current;
>
> + task_lock(task);
> strncpy(buf, task->comm, size);
> + task_unlock(task);
Wouldn't this potentially lead to a deadlock? E.g. you attach yourself
to task_lock() / spin_lock() / etc, and then the BPF prog triggers the
bpf_get_current_comm() taking the lock again ...
> /* Verifier guarantees that size > 0. For task->comm exceeding
> * size, guarantee that buf is %NUL-terminated. Unconditionally
>
Powered by blists - more mailing lists