| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Jun 2020 11:27:47 -0700
From: Stanislav Fomichev <sdf@...gle.com>
To: netdev@...r.kernel.org, bpf@...r.kernel.org
Cc: davem@...emloft.net, ast@...nel.org, daniel@...earbox.net,
Stanislav Fomichev <sdf@...gle.com>,
David Laight <David.Laight@...LAB.COM>
Subject: [PATCH bpf v3 1/2] bpf: don't return EINVAL from {get,set}sockopt
when optlen > PAGE_SIZE
Attaching to these hooks can break iptables because its optval is
usually quite big, or at least bigger than the current PAGE_SIZE limit.
David also mentioned some SCTP options can be big (around 256k).
There are two possible ways to fix it:
1. Increase the limit to match iptables max optval. There is, however,
no clear upper limit. Technically, iptables can accept up to
512M of data (not sure how practical it is though).
2. Bypass the value (don't expose to BPF) if it's too big and trigger
BPF only with level/optname so BPF can still decide whether
to allow/deny big sockopts.
The initial attempt was implemented using strategy #1. Due to
listed shortcomings, let's switch to strategy #2. When there is
legitimate a real use-case for iptables/SCTP, we can consider increasing
the PAGE_SIZE limit.
v3:
* don't increase the limit, bypass the argument
v2:
* proper comments formatting (Jakub Kicinski)
Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
Cc: David Laight <David.Laight@...LAB.COM>
Signed-off-by: Stanislav Fomichev <sdf@...gle.com>
---
kernel/bpf/cgroup.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index fdf7836750a3..758082853086 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1276,9 +1276,18 @@ static bool __cgroup_bpf_prog_array_is_empty(struct cgroup *cgrp,
static int sockopt_alloc_buf(struct bpf_sockopt_kern *ctx, int max_optlen)
{
- if (unlikely(max_optlen > PAGE_SIZE) || max_optlen < 0)
+ if (unlikely(max_optlen < 0))
return -EINVAL;
+ if (unlikely(max_optlen > PAGE_SIZE)) {
+ /* We don't expose optvals that are greater than PAGE_SIZE
+ * to the BPF program.
+ */
+ ctx->optval = NULL;
+ ctx->optval_end = NULL;
+ return 0;
+ }
+
ctx->optval = kzalloc(max_optlen, GFP_USER);
if (!ctx->optval)
return -ENOMEM;
@@ -1325,7 +1334,7 @@ int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level,
ctx.optlen = *optlen;
- if (copy_from_user(ctx.optval, optval, *optlen) != 0) {
+ if (ctx.optval && copy_from_user(ctx.optval, optval, *optlen) != 0) {
ret = -EFAULT;
goto out;
}
@@ -1407,7 +1416,8 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
if (ctx.optlen > max_optlen)
ctx.optlen = max_optlen;
- if (copy_from_user(ctx.optval, optval, ctx.optlen) != 0) {
+ if (ctx.optval &&
+ copy_from_user(ctx.optval, optval, ctx.optlen) != 0) {
ret = -EFAULT;
goto out;
}
@@ -1436,7 +1446,7 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
goto out;
}
- if (copy_to_user(optval, ctx.optval, ctx.optlen) ||
+ if ((ctx.optval && copy_to_user(optval, ctx.optval, ctx.optlen)) ||
put_user(ctx.optlen, optlen)) {
ret = -EFAULT;
goto out;
--
2.27.0.278.ge193c7cf3a9-goog
Powered by blists - more mailing lists