lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <ef8e597a-745b-6355-8814-5b863c95e232@iogearbox.net> Date: Fri, 1 Mar 2019 13:51:00 +0100 From: Daniel Borkmann <daniel@...earbox.net> To: Arthur Fabre <afabre@...udflare.com>, marek@...udflare.com Cc: ast@...nel.org, netdev@...r.kernel.org Subject: Re: SOCKET_FILTER regression - eBPF can't subtract when attached from unprivileged user On 03/01/2019 12:39 PM, Arthur Fabre wrote: > I can reproduce this on 4.19.0-3-amd64 both with, and without the JIT enabled. > > Dumping the "root" and "non-root" programs with bpftool, > the subtraction instructions differ: > > "non-root": > 0: (85) call bpf_ktime_get_ns#74944 > 1: (bf) r7 = r0 > 2: (85) call bpf_ktime_get_ns#74944 > 3: (bf) r6 = r0 > 4: (bf) r8 = r6 > 5: (b4) w11 = -1 > 6: (1f) r11 -= r8 > 7: (4f) r11 |= r8 > 8: (87) r11 = -r11 > 9: (c7) r11 s>>= 63 > 10: (5f) r8 &= r11 > > "root": > 0: (85) call bpf_ktime_get_ns#74944 > 1: (bf) r7 = r0 > 2: (85) call bpf_ktime_get_ns#74944 > 3: (bf) r6 = r0 > 4: (bf) r8 = r6 > > The remainder of the instructions are for writing the results in the map, > and the instructions are identical. > > I believe the extra instructions come from "fixup_bpf_calls" in the verifier: > > if (isneg) > *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); > *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1); > *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); > *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); > *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); > *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63); > if (issrc) { > *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, > off_reg); > insn->src_reg = BPF_REG_AX; > } else { > *patch++ = BPF_ALU64_REG(BPF_AND, off_reg, > BPF_REG_AX); > } > > This was introduced by "bpf: prevent out of bounds speculation on pointer arithmetic" > (https://patchwork.ozlabs.org/patch/1039606/). > I don't yet understand what's going on. Hmm, thanks for the report, I'll take a look right away! There's no map involved here it seems, so there shouldn't be such fixup. Cheers, Daniel
Powered by blists - more mailing lists