lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2952ff05-7b61-f4f7-df80-2f925b25fadc@iogearbox.net>
Date:   Wed, 28 Nov 2018 09:45:13 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Prashant Bhole <bhole_prashant_q7@....ntt.co.jp>,
        Alexei Starovoitov <ast@...nel.org>
Cc:     Mauricio Vasquez B <mauricio.vasquez@...ito.it>,
        netdev@...r.kernel.org
Subject: Re: [PATCH bpf 2/2] bpf: test_verifier, test for lookup on
 queue/stack maps

On 11/28/2018 08:51 AM, Prashant Bhole wrote:
> This patch adds tests to check whether bpf verifier prevents lookup
> on queue/stack maps
> 
> Signed-off-by: Prashant Bhole <bhole_prashant_q7@....ntt.co.jp>
> ---
>  tools/testing/selftests/bpf/test_verifier.c | 52 +++++++++++++++++++++
>  1 file changed, 52 insertions(+)
> 
> diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
> index 550b7e46bf4a..becd9f4f3980 100644
> --- a/tools/testing/selftests/bpf/test_verifier.c
> +++ b/tools/testing/selftests/bpf/test_verifier.c
> @@ -74,6 +74,8 @@ struct bpf_test {
>  	int fixup_map_in_map[MAX_FIXUPS];
>  	int fixup_cgroup_storage[MAX_FIXUPS];
>  	int fixup_percpu_cgroup_storage[MAX_FIXUPS];
> +	int fixup_map_queue[MAX_FIXUPS];
> +	int fixup_map_stack[MAX_FIXUPS];
>  	const char *errstr;
>  	const char *errstr_unpriv;
>  	uint32_t retval, retval_unpriv;
> @@ -4611,6 +4613,38 @@ static struct bpf_test tests[] = {
>  		.errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
>  		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
>  	},
> +	{
> +		"prevent map lookup in queue map",
> +		.insns = {
> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
> +				     BPF_FUNC_map_lookup_elem),
> +			BPF_EXIT_INSN(),
> +		},
> +		.fixup_map_queue = { 3 },
> +		.result = REJECT,
> +		.errstr = "invalid stack type R2 off=-8 access_size=0",
> +		.prog_type = BPF_PROG_TYPE_XDP,

Hmm, the approach in patch 1 is very fragile, and we're lucky in this case
that the verifier bailed out with 'invalid stack type R2 off=-8 access_size=0'
because of key size being zero. If this would have not been the case then
the added ERR_PTR(-EOPNOTSUPP) would basically be seen as a valid pointer and
the program could read/write into it. Instead, this needs to be prevented much
earlier like check_map_func_compatibility(), and I would like to have a split
on these approaches to make verifier more robust. While you want ERR_PTR(-EOPNOTSUPP)
for user space syscall side, the BPF prog should only ever see (if anything)
a NULL here, because this is what the verifier matches later on to set the map
value_or_null pointer to a map value pointer.

> +	},
> +	{
> +		"prevent map lookup in stack map",
> +		.insns = {
> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
> +				     BPF_FUNC_map_lookup_elem),
> +			BPF_EXIT_INSN(),
> +		},
> +		.fixup_map_stack = { 3 },
> +		.result = REJECT,
> +		.errstr = "invalid stack type R2 off=-8 access_size=0",
> +		.prog_type = BPF_PROG_TYPE_XDP,
> +	},
>  	{
>  		"prevent map lookup in prog array",
>  		.insns = {
> @@ -14048,6 +14082,8 @@ static void do_test_fixup(struct bpf_test *test, enum bpf_map_type prog_type,
>  	int *fixup_map_sockhash = test->fixup_map_sockhash;
>  	int *fixup_map_xskmap = test->fixup_map_xskmap;
>  	int *fixup_map_stacktrace = test->fixup_map_stacktrace;
> +	int *fixup_map_queue = test->fixup_map_queue;
> +	int *fixup_map_stack = test->fixup_map_stack;
>  	int *fixup_prog1 = test->fixup_prog1;
>  	int *fixup_prog2 = test->fixup_prog2;
>  	int *fixup_map_in_map = test->fixup_map_in_map;
> @@ -14168,6 +14204,22 @@ static void do_test_fixup(struct bpf_test *test, enum bpf_map_type prog_type,
>  			fixup_map_stacktrace++;
>  		} while (fixup_map_stacktrace);
>  	}
> +	if (*fixup_map_queue) {
> +		map_fds[13] = create_map(BPF_MAP_TYPE_QUEUE, 0,
> +					 sizeof(u32), 1);
> +		do {
> +			prog[*fixup_map_queue].imm = map_fds[13];
> +			fixup_map_queue++;
> +		} while (*fixup_map_queue);
> +	}
> +	if (*fixup_map_stack) {
> +		map_fds[14] = create_map(BPF_MAP_TYPE_STACK, 0,
> +					 sizeof(u32), 1);
> +		do {
> +			prog[*fixup_map_stack].imm = map_fds[14];
> +			fixup_map_stack++;
> +		} while (*fixup_map_stack);
> +	}
>  }
>  
>  static int set_admin(bool admin)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ