lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ef8e597a-745b-6355-8814-5b863c95e232@iogearbox.net>
Date:   Fri, 1 Mar 2019 13:51:00 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Arthur Fabre <afabre@...udflare.com>, marek@...udflare.com
Cc:     ast@...nel.org, netdev@...r.kernel.org
Subject: Re: SOCKET_FILTER regression - eBPF can't subtract when attached from
 unprivileged user

On 03/01/2019 12:39 PM, Arthur Fabre wrote:
> I can reproduce this on 4.19.0-3-amd64 both with, and without the JIT enabled.
> 
> Dumping the "root" and "non-root" programs with bpftool,
> the subtraction instructions differ:
> 
> "non-root":
>    0: (85) call bpf_ktime_get_ns#74944
>    1: (bf) r7 = r0
>    2: (85) call bpf_ktime_get_ns#74944
>    3: (bf) r6 = r0
>    4: (bf) r8 = r6
>    5: (b4) w11 = -1
>    6: (1f) r11 -= r8
>    7: (4f) r11 |= r8
>    8: (87) r11 = -r11
>    9: (c7) r11 s>>= 63
>   10: (5f) r8 &= r11
> 
> "root":
>    0: (85) call bpf_ktime_get_ns#74944
>    1: (bf) r7 = r0
>    2: (85) call bpf_ktime_get_ns#74944
>    3: (bf) r6 = r0
>    4: (bf) r8 = r6
> 
> The remainder of the instructions are for writing the results in the map,
> and the instructions are identical.
> 
> I believe the extra instructions come from "fixup_bpf_calls" in the verifier:
> 
>     if (isneg)
>         *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
>     *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
>     *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
>     *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
>     *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
>     *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
>     if (issrc) {
>         *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
>                      off_reg);
>         insn->src_reg = BPF_REG_AX;
>     } else {
>         *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
>                      BPF_REG_AX);
>     }
> 
> This was introduced by "bpf: prevent out of bounds speculation on pointer arithmetic"
> (https://patchwork.ozlabs.org/patch/1039606/).
> I don't yet understand what's going on.

Hmm, thanks for the report, I'll take a look right away! There's no map
involved here it seems, so there shouldn't be such fixup.

Cheers,
Daniel

Powered by blists - more mailing lists