| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d100ce6a-4c8b-5c94-6601-685a536d52eb@iogearbox.net>
Date: Fri, 1 Mar 2019 15:04:42 +0100
From: Daniel Borkmann <daniel@...earbox.net>
To: Arthur Fabre <afabre@...udflare.com>, marek@...udflare.com
Cc: ast@...nel.org, netdev@...r.kernel.org
Subject: Re: SOCKET_FILTER regression - eBPF can't subtract when attached from
unprivileged user
On 03/01/2019 12:39 PM, Arthur Fabre wrote:
> I can reproduce this on 4.19.0-3-amd64 both with, and without the JIT enabled.
>
> Dumping the "root" and "non-root" programs with bpftool,
> the subtraction instructions differ:
>
> "non-root":
> 0: (85) call bpf_ktime_get_ns#74944
> 1: (bf) r7 = r0
> 2: (85) call bpf_ktime_get_ns#74944
> 3: (bf) r6 = r0
> 4: (bf) r8 = r6
> 5: (b4) w11 = -1
> 6: (1f) r11 -= r8
> 7: (4f) r11 |= r8
> 8: (87) r11 = -r11
> 9: (c7) r11 s>>= 63
> 10: (5f) r8 &= r11
>
> "root":
> 0: (85) call bpf_ktime_get_ns#74944
> 1: (bf) r7 = r0
> 2: (85) call bpf_ktime_get_ns#74944
> 3: (bf) r6 = r0
> 4: (bf) r8 = r6
>
> The remainder of the instructions are for writing the results in the map,
> and the instructions are identical.
>
> I believe the extra instructions come from "fixup_bpf_calls" in the verifier:
>
> if (isneg)
> *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
> *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
> *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
> *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
> *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
> *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
> if (issrc) {
> *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
> off_reg);
> insn->src_reg = BPF_REG_AX;
> } else {
> *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
> BPF_REG_AX);
> }
>
> This was introduced by "bpf: prevent out of bounds speculation on pointer arithmetic"
> (https://patchwork.ozlabs.org/patch/1039606/).
> I don't yet understand what's going on.
Ok, sigh, fix is this, sorry about the braino:
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index cdd2cb01f789..5b3cd384df1d 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7629,7 +7629,8 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
u32 off_reg;
aux = &env->insn_aux_data[i + delta];
- if (!aux->alu_state)
+ if (!aux->alu_state ||
+ aux->alu_state == BPF_ALU_NON_POINTER)
continue;
isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
And this also makes the test work again:
foo@...t:/root/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7$ ./ebpf-bug
0 -> 0 0x0000000000000000
1 -> 54645145816 0x0000000cb91ac0d8
2 -> 54645145860 0x0000000cb91ac104
3 -> 44 0x000000000000002c
foo@...t:/root/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7$ exit
root@...t:~/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7# ./ebpf-bug
0 -> 0 0x0000000000000000
1 -> 57984017624 0x0000000d801de4d8
2 -> 57984017673 0x0000000d801de509
3 -> 49 0x0000000000000031
I'll cook it as proper patch in a bit along with a test case.
Thanks for reporting!
Daniel
Powered by blists - more mailing lists