lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20180110225808.w4cypcqsmayec67b@ast-mbp>
Date:   Wed, 10 Jan 2018 14:58:09 -0800
From:   Alexei Starovoitov <alexei.starovoitov@...il.com>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     ast@...com, netdev@...r.kernel.org
Subject: Re: [PATCH bpf] bpf, array: fix overflow in max_entries and
 undefined behavior in index_mask

On Wed, Jan 10, 2018 at 11:25:05PM +0100, Daniel Borkmann wrote:
> syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
> and thus unprivileged. With the recently added logic in b2157399cc98
> ("bpf: prevent out-of-bounds speculation") we round this up to the next
> power of two value for max_entries for unprivileged such that we can
> apply proper masking into potentially zeroed out map slots.
> 
> However, this will generate an index_mask of 0xffffffff, and therefore
> a + 1 will let this overflow into new max_entries of 0. This will pass
> allocation, etc, and later on map access we still enforce on the original
> attr->max_entries value which was 0xfffffffd, therefore triggering GPF
> all over the place. Thus bail out on overflow in such case.
> 
> Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
> since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
> space is undefined. Therefore, do this by hand in a 64 bit variable.
> 
> This fixes all the issues triggered by syzkaller's reproducers.
> 
> Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation")
> Reported-by: syzbot+b0efb8e572d01bce1ae0@...kaller.appspotmail.com
> Reported-by: syzbot+6c15e9744f75f2364773@...kaller.appspotmail.com
> Reported-by: syzbot+d2f5524fb46fd3b312ee@...kaller.appspotmail.com
> Reported-by: syzbot+61d23c95395cc90dbc2b@...kaller.appspotmail.com
> Reported-by: syzbot+0d363c942452cca68c01@...kaller.appspotmail.com
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>

Applied, thank you Daniel.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ