lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2e683b78-bd9e-bbb6-c9bb-3ff46a16ef6e@iogearbox.net>
Date:   Wed, 10 Jan 2018 17:23:38 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     syzbot <syzbot+b0efb8e572d01bce1ae0@...kaller.appspotmail.com>,
        ast@...nel.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: general protection fault in cgroup_fd_array_put_ptr

On 01/10/2018 04:30 PM, Daniel Borkmann wrote:
> On 01/10/2018 01:58 PM, syzbot wrote:
>> Hello,
>>
>> syzkaller hit the following crash on b4464bcab38d3f7fe995a7cb960eeac6889bec08
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>> C reproducer is attached
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
> 
> Currently looking into all of the reports. Looks they're all related to fd array
> map. Will get back once I have some more data & managed to reproduce.

Ok, I know what's going on. Very roughly, we need something like the below
to check for overflows, this definitely fixes it for me. Cooking a proper
patch and doing some more analysis around it.

diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index aaa3198..454f52c 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -76,11 +76,17 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
        max_entries = attr->max_entries;
        index_mask = roundup_pow_of_two(max_entries) - 1;

-       if (unpriv)
+       if (unpriv) {
                /* round up array size to nearest power of 2,
                 * since cpu will speculate within index_mask limits
                 */
                max_entries = index_mask + 1;
+               if (max_entries < attr->max_entries)
+                       return ERR_PTR(-E2BIG);
+       }

        array_size = sizeof(*array);
        if (percpu)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ