lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <af0643e0-08a1-6326-2a80-71892de1bf56@iogearbox.net>
Date:   Fri, 1 Mar 2019 15:22:30 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Marek Majkowski <marek@...udflare.com>
Cc:     Arthur Fabre <afabre@...udflare.com>, ast@...nel.org,
        netdev@...r.kernel.org
Subject: Re: SOCKET_FILTER regression - eBPF can't subtract when attached from
 unprivileged user

On 03/01/2019 03:10 PM, Marek Majkowski wrote:
> Great, appreciated.
> 
> One more thing (since upgrading kernels takes time) do you think I can
> amend eBPF on my side to avoid triggering this? Naive stuff like this
> doesn't work sadly:
> 
>     uint64_t delta = b + ~a + 1;
> 
> I tried couple more variants with uint32_t types, but to no avail. Ideas?

For 32bit based add/sub this would definitely not be triggered, but only
latest LLVM supports alu32 emission. Since you guys are using inline asm
already, perhaps worth a shot.

Thanks,
Daniel

> Marek
> 
> On Fri, Mar 1, 2019 at 3:04 PM Daniel Borkmann <daniel@...earbox.net> wrote:
>>
>> On 03/01/2019 12:39 PM, Arthur Fabre wrote:
>>> I can reproduce this on 4.19.0-3-amd64 both with, and without the JIT enabled.
>>>
>>> Dumping the "root" and "non-root" programs with bpftool,
>>> the subtraction instructions differ:
>>>
>>> "non-root":
>>>    0: (85) call bpf_ktime_get_ns#74944
>>>    1: (bf) r7 = r0
>>>    2: (85) call bpf_ktime_get_ns#74944
>>>    3: (bf) r6 = r0
>>>    4: (bf) r8 = r6
>>>    5: (b4) w11 = -1
>>>    6: (1f) r11 -= r8
>>>    7: (4f) r11 |= r8
>>>    8: (87) r11 = -r11
>>>    9: (c7) r11 s>>= 63
>>>   10: (5f) r8 &= r11
>>>
>>> "root":
>>>    0: (85) call bpf_ktime_get_ns#74944
>>>    1: (bf) r7 = r0
>>>    2: (85) call bpf_ktime_get_ns#74944
>>>    3: (bf) r6 = r0
>>>    4: (bf) r8 = r6
>>>
>>> The remainder of the instructions are for writing the results in the map,
>>> and the instructions are identical.
>>>
>>> I believe the extra instructions come from "fixup_bpf_calls" in the verifier:
>>>
>>>     if (isneg)
>>>         *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
>>>     *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
>>>     *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
>>>     *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
>>>     *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
>>>     *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
>>>     if (issrc) {
>>>         *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
>>>                      off_reg);
>>>         insn->src_reg = BPF_REG_AX;
>>>     } else {
>>>         *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
>>>                      BPF_REG_AX);
>>>     }
>>>
>>> This was introduced by "bpf: prevent out of bounds speculation on pointer arithmetic"
>>> (https://patchwork.ozlabs.org/patch/1039606/).
>>> I don't yet understand what's going on.
>>
>> Ok, sigh, fix is this, sorry about the braino:
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index cdd2cb01f789..5b3cd384df1d 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -7629,7 +7629,8 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
>>                         u32 off_reg;
>>
>>                         aux = &env->insn_aux_data[i + delta];
>> -                       if (!aux->alu_state)
>> +                       if (!aux->alu_state ||
>> +                           aux->alu_state == BPF_ALU_NON_POINTER)
>>                                 continue;
>>
>>                         isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
>>
>> And this also makes the test work again:
>>
>> foo@...t:/root/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7$ ./ebpf-bug
>> 0 ->                    0 0x0000000000000000
>> 1 ->          54645145816 0x0000000cb91ac0d8
>> 2 ->          54645145860 0x0000000cb91ac104
>> 3 ->                   44 0x000000000000002c
>> foo@...t:/root/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7$ exit
>> root@...t:~/d0bb75a8c62cc35bec2b342054084aab-7cc37a3a93c8b4028e977f3131feaf7f8705e6a7# ./ebpf-bug
>> 0 ->                    0 0x0000000000000000
>> 1 ->          57984017624 0x0000000d801de4d8
>> 2 ->          57984017673 0x0000000d801de509
>> 3 ->                   49 0x0000000000000031
>>
>> I'll cook it as proper patch in a bit along with a test case.
>>
>> Thanks for reporting!
>> Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ