| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Mar 2019 15:22:30 +0100
From: Daniel Borkmann <daniel@...earbox.net>
To: Marek Majkowski <marek@...udflare.com>
Cc: Arthur Fabre <afabre@...udflare.com>, ast@...nel.org,
netdev@...r.kernel.org
Subject: Re: SOCKET_FILTER regression - eBPF can't subtract when attached from
unprivileged user
On 03/01/2019 03:10 PM, Marek Majkowski wrote:
> Great, appreciated.
>
> One more thing (since upgrading kernels takes time) do you think I can
> amend eBPF on my side to avoid triggering this? Naive stuff like this
> doesn't work sadly:
>
> uint64_t delta = b + ~a + 1;
>
> I tried couple more variants with uint32_t types, but to no avail. Ideas?
For 32bit based add/sub this would definitely not be triggered, but only
latest LLVM supports alu32 emission. Since you guys are using inline asm
already, perhaps worth a shot.
Thanks,
Daniel
> Marek
>
> On Fri, Mar 1, 2019 at 3:04 PM Daniel Borkmann <daniel@...earbox.net> wrote:
>>
>> On 03/01/2019 12:39 PM, Arthur Fabre wrote:
>>> I can reproduce this on 4.19.0-3-amd64 both with, and without the JIT enabled.
>>>
>>> Dumping the "root" and "non-root" programs with bpftool,
>>> the subtraction instructions differ:
>>>
>>> "non-root":
>>> 0: (85) call bpf_ktime_get_ns#74944
>>> 1: (bf) r7 = r0
>>> 2: (85) call bpf_ktime_get_ns#74944
>>> 3: (bf) r6 = r0
>>> 4: (bf) r8 = r6
>>> 5: (b4) w11 = -1
>>> 6: (1f) r11 -= r8
>>> 7: (4f) r11 |= r8
>>> 8: (87) r11 = -r11
>>> 9: (c7) r11 s>>= 63
>>> 10: (5f) r8 &= r11
>>>
>>> "root":
>>> 0: (85) call bpf_ktime_get_ns#74944
>>> 1: (bf) r7 = r0
>>> 2: (85) call bpf_ktime_get_ns#74944
>>> 3: (bf) r6 = r0
>>> 4: (bf) r8 = r6
>>>
>>> The remainder of the instructions are for writing the results in the map,
>>> and the instructions are identical.
>>>
>>> I believe the extra instructions come from "fixup_bpf_calls" in the verifier:
>>>
>>> if (isneg)
>>> *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
>>> *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
>>> *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
>>> *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
>>> *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
>>> *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
>>> if (issrc) {
>>> *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
>>> off_reg);
>>> insn->src_reg = BPF_REG_AX;
>>> } else {
>>> *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
>>> BPF_REG_AX);
>>> }
>>>
>>> This was introduced by "bpf: prevent out of bounds speculation on pointer arithmetic"
>>> (https://patchwork.ozlabs.org/patch/1039606/).
>>> I don't yet understand what's going on.
>>
>> Ok, sigh, fix is this, sorry about the braino:
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index cdd2cb01f789..5b3cd384df1d 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -7629,7 +7629,8 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
>> u32 off_reg;
>>
>> aux = &env->insn_aux_data[i + delta];
>> - if (!aux->alu_state)
>> + if (!aux->alu_state ||
>> + aux->alu_state == BPF_ALU_NON_POINTER)
>> continue;
>>
>> isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
>>
>> And this also makes the test work again:
>>
>> foo@...t:/root/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7$ ./ebpf-bug
>> 0 -> 0 0x0000000000000000
>> 1 -> 54645145816 0x0000000cb91ac0d8
>> 2 -> 54645145860 0x0000000cb91ac104
>> 3 -> 44 0x000000000000002c
>> foo@...t:/root/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7$ exit
>> root@...t:~/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7# ./ebpf-bug
>> 0 -> 0 0x0000000000000000
>> 1 -> 57984017624 0x0000000d801de4d8
>> 2 -> 57984017673 0x0000000d801de509
>> 3 -> 49 0x0000000000000031
>>
>> I'll cook it as proper patch in a bit along with a test case.
>>
>> Thanks for reporting!
>> Daniel
Powered by blists - more mailing lists