lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 3 Apr 2019 23:22:36 -0700
From:   Andrey Ignatov <rdna@...com>
To:     <netdev@...r.kernel.org>
CC:     Andrey Ignatov <rdna@...com>, <ast@...nel.org>,
        <daniel@...earbox.net>, <kernel-team@...com>
Subject: [PATCH v3 bpf-next 0/7] bpf: Fix indirect var_off stack access support

v2->v3:
- sanity check max value for variable offset.

v1->v2:
- rely on meta = NULL to reject var_off stack access to uninit buffer.

This patch set is a follow-up for discussion [1].

It fixes variable offset stack access handling for raw and unprivileged
mode, rejecting both of them, and sanity checks max variable offset value.

Patch 1 handles raw (uninitialized) mode.
Patch 2 adds test for raw mode.
Patch 3 handles unprivileged mode.
Patch 4 adds test for unprivileged mode.
Patch 5 adds sanity check for max value of variable offset.
Patch 6 adds test for variable offset max value checking.
Patch 7 is a minor fix in verbose log.

Unprivileged mode is an interesting case since one (and only?) way to come
up with variable offset is to use pointer arithmetics. Though pointer
arithmetics is already prohibited for unprivileged mode. I'm not sure if
it's enough though and it seems like a good idea to still reject variable
offset for unpriv in check_stack_boundary(). Please see patches 3 and 4 for
more details on this.

[1] https://marc.info/?l=linux-netdev&m=155419526427742&w=2


Andrey Ignatov (7):
  bpf: Reject indirect var_off stack access in raw mode
  selftests/bpf: Test indirect var_off stack access in raw mode
  bpf: Reject indirect var_off stack access in unpriv mode
  selftests/bpf: Test indirect var_off stack access in unpriv mode
  bpf: Sanity check max value for var_off stack access
  selftests/bpf: Test unbounded var_off stack access
  bpf: Add missed newline in verifier verbose log

 kernel/bpf/verifier.c                         |  45 ++++++-
 .../testing/selftests/bpf/verifier/var_off.c  | 111 +++++++++++++++++-
 2 files changed, 150 insertions(+), 6 deletions(-)

-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ