lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <9619708a-c0e5-7a01-7141-9aef1f9166c7@iogearbox.net>
Date:   Fri, 5 Apr 2019 17:03:09 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Andrey Ignatov <rdna@...com>, netdev@...r.kernel.org
Cc:     ast@...nel.org, kernel-team@...com
Subject: Re: [PATCH v3 bpf-next 0/7] bpf: Fix indirect var_off stack access
 support

On 04/04/2019 08:22 AM, Andrey Ignatov wrote:
> v2->v3:
> - sanity check max value for variable offset.
> 
> v1->v2:
> - rely on meta = NULL to reject var_off stack access to uninit buffer.
> 
> This patch set is a follow-up for discussion [1].
> 
> It fixes variable offset stack access handling for raw and unprivileged
> mode, rejecting both of them, and sanity checks max variable offset value.
> 
> Patch 1 handles raw (uninitialized) mode.
> Patch 2 adds test for raw mode.
> Patch 3 handles unprivileged mode.
> Patch 4 adds test for unprivileged mode.
> Patch 5 adds sanity check for max value of variable offset.
> Patch 6 adds test for variable offset max value checking.
> Patch 7 is a minor fix in verbose log.
> 
> Unprivileged mode is an interesting case since one (and only?) way to come
> up with variable offset is to use pointer arithmetics. Though pointer
> arithmetics is already prohibited for unprivileged mode. I'm not sure if
> it's enough though and it seems like a good idea to still reject variable
> offset for unpriv in check_stack_boundary(). Please see patches 3 and 4 for
> more details on this.
> 
> [1] https://marc.info/?l=linux-netdev&m=155419526427742&w=2
> 
> 
> Andrey Ignatov (7):
>   bpf: Reject indirect var_off stack access in raw mode
>   selftests/bpf: Test indirect var_off stack access in raw mode
>   bpf: Reject indirect var_off stack access in unpriv mode
>   selftests/bpf: Test indirect var_off stack access in unpriv mode
>   bpf: Sanity check max value for var_off stack access
>   selftests/bpf: Test unbounded var_off stack access
>   bpf: Add missed newline in verifier verbose log
> 
>  kernel/bpf/verifier.c                         |  45 ++++++-
>  .../testing/selftests/bpf/verifier/var_off.c  | 111 +++++++++++++++++-
>  2 files changed, 150 insertions(+), 6 deletions(-)
> 

Applied, thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ