lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <9901acba-87a1-293a-64fc-a0707f9e5374@iogearbox.net>
Date:   Sat, 3 Feb 2018 02:25:12 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Alexei Starovoitov <ast@...nel.org>, davem@...emloft.net
Cc:     netdev@...r.kernel.org, kernel-team@...com
Subject: Re: [PATCH bpf] bpf: fix bpf_prog_array_copy_to_user() issues

On 02/03/2018 12:14 AM, Alexei Starovoitov wrote:
> 1. move copy_to_user out of rcu section to fix the following issue:
> 
> ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section!
> stack backtrace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
>  rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline]
>  ___might_sleep+0x385/0x470 kernel/sched/core.c:6079
>  __might_sleep+0x95/0x190 kernel/sched/core.c:6067
>  __might_fault+0xab/0x1d0 mm/memory.c:4532
>  _copy_to_user+0x2c/0xc0 lib/usercopy.c:25
>  copy_to_user include/linux/uaccess.h:155 [inline]
>  bpf_prog_array_copy_to_user+0x217/0x4d0 kernel/bpf/core.c:1587
>  bpf_prog_array_copy_info+0x17b/0x1c0 kernel/bpf/core.c:1685
>  perf_event_query_prog_array+0x196/0x280 kernel/trace/bpf_trace.c:877
>  _perf_ioctl kernel/events/core.c:4737 [inline]
>  perf_ioctl+0x3e1/0x1480 kernel/events/core.c:4757
> 
> 2. move *prog under rcu, since it's not ok to dereference it afterwards
> 
> 3. in a rare case of prog array being swapped between bpf_prog_array_length()
>    and bpf_prog_array_copy_to_user() calls make sure to copy zeros to user space,
>    so the user doesn't walk over uninited prog_ids while kernel reported
>    uattr->query.prog_cnt > 0
> 
> Reported-by: syzbot+7dbcd2d3b85f9b608b23@...kaller.appspotmail.com
> Fixes: 468e2f64d220 ("bpf: introduce BPF_PROG_QUERY command")
> Signed-off-by: Alexei Starovoitov <ast@...nel.org>

LGTM, fix applied to bpf tree, thanks Alexei!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ