| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJPywTJiHxWeRun5Jpgo2TEQvcKUe1OcpP9eKi+q2m_WSyY6ag@mail.gmail.com>
Date: Fri, 1 Mar 2019 15:10:32 +0100
From: Marek Majkowski <marek@...udflare.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: Arthur Fabre <afabre@...udflare.com>, ast@...nel.org,
netdev@...r.kernel.org
Subject: Re: SOCKET_FILTER regression - eBPF can't subtract when attached from
unprivileged user
Great, appreciated.
One more thing (since upgrading kernels takes time) do you think I can
amend eBPF on my side to avoid triggering this? Naive stuff like this
doesn't work sadly:
uint64_t delta = b + ~a + 1;
I tried couple more variants with uint32_t types, but to no avail. Ideas?
Marek
On Fri, Mar 1, 2019 at 3:04 PM Daniel Borkmann <daniel@...earbox.net> wrote:
>
> On 03/01/2019 12:39 PM, Arthur Fabre wrote:
> > I can reproduce this on 4.19.0-3-amd64 both with, and without the JIT enabled.
> >
> > Dumping the "root" and "non-root" programs with bpftool,
> > the subtraction instructions differ:
> >
> > "non-root":
> > 0: (85) call bpf_ktime_get_ns#74944
> > 1: (bf) r7 = r0
> > 2: (85) call bpf_ktime_get_ns#74944
> > 3: (bf) r6 = r0
> > 4: (bf) r8 = r6
> > 5: (b4) w11 = -1
> > 6: (1f) r11 -= r8
> > 7: (4f) r11 |= r8
> > 8: (87) r11 = -r11
> > 9: (c7) r11 s>>= 63
> > 10: (5f) r8 &= r11
> >
> > "root":
> > 0: (85) call bpf_ktime_get_ns#74944
> > 1: (bf) r7 = r0
> > 2: (85) call bpf_ktime_get_ns#74944
> > 3: (bf) r6 = r0
> > 4: (bf) r8 = r6
> >
> > The remainder of the instructions are for writing the results in the map,
> > and the instructions are identical.
> >
> > I believe the extra instructions come from "fixup_bpf_calls" in the verifier:
> >
> > if (isneg)
> > *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
> > *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
> > *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
> > *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
> > *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
> > *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
> > if (issrc) {
> > *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
> > off_reg);
> > insn->src_reg = BPF_REG_AX;
> > } else {
> > *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
> > BPF_REG_AX);
> > }
> >
> > This was introduced by "bpf: prevent out of bounds speculation on pointer arithmetic"
> > (https://patchwork.ozlabs.org/patch/1039606/).
> > I don't yet understand what's going on.
>
> Ok, sigh, fix is this, sorry about the braino:
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index cdd2cb01f789..5b3cd384df1d 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -7629,7 +7629,8 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
> u32 off_reg;
>
> aux = &env->insn_aux_data[i + delta];
> - if (!aux->alu_state)
> + if (!aux->alu_state ||
> + aux->alu_state == BPF_ALU_NON_POINTER)
> continue;
>
> isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
>
> And this also makes the test work again:
>
> foo@...t:/root/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7$ ./ebpf-bug
> 0 -> 0 0x0000000000000000
> 1 -> 54645145816 0x0000000cb91ac0d8
> 2 -> 54645145860 0x0000000cb91ac104
> 3 -> 44 0x000000000000002c
> foo@...t:/root/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7$ exit
> root@...t:~/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7# ./ebpf-bug
> 0 -> 0 0x0000000000000000
> 1 -> 57984017624 0x0000000d801de4d8
> 2 -> 57984017673 0x0000000d801de509
> 3 -> 49 0x0000000000000031
>
> I'll cook it as proper patch in a bit along with a test case.
>
> Thanks for reporting!
> Daniel
Powered by blists - more mailing lists