lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri,  1 Mar 2019 11:39:01 +0000
From:   Arthur Fabre <afabre@...udflare.com>
To:     marek@...udflare.com
Cc:     ast@...nel.org, daniel@...earbox.net, netdev@...r.kernel.org,
        afabre@...udflare.com
Subject: RE: SOCKET_FILTER regression - eBPF can't subtract when attached from unprivileged user

I can reproduce this on 4.19.0-3-amd64 both with, and without the JIT enabled.

Dumping the "root" and "non-root" programs with bpftool,
the subtraction instructions differ:

"non-root":
   0: (85) call bpf_ktime_get_ns#74944
   1: (bf) r7 = r0
   2: (85) call bpf_ktime_get_ns#74944
   3: (bf) r6 = r0
   4: (bf) r8 = r6
   5: (b4) w11 = -1
   6: (1f) r11 -= r8
   7: (4f) r11 |= r8
   8: (87) r11 = -r11
   9: (c7) r11 s>>= 63
  10: (5f) r8 &= r11

"root":
   0: (85) call bpf_ktime_get_ns#74944
   1: (bf) r7 = r0
   2: (85) call bpf_ktime_get_ns#74944
   3: (bf) r6 = r0
   4: (bf) r8 = r6

The remainder of the instructions are for writing the results in the map,
and the instructions are identical.

I believe the extra instructions come from "fixup_bpf_calls" in the verifier:

    if (isneg)
        *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
    *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
    *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
    *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
    *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
    *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
    if (issrc) {
        *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
                     off_reg);
        insn->src_reg = BPF_REG_AX;
    } else {
        *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
                     BPF_REG_AX);
    }

This was introduced by "bpf: prevent out of bounds speculation on pointer arithmetic"
(https://patchwork.ozlabs.org/patch/1039606/).
I don't yet understand what's going on.

Cheers,

Arthur

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ