| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4dcc1530-ffdf-30a5-9806-0b06cd0f12d6@iogearbox.net>
Date: Sat, 4 Jul 2020 00:24:16 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Lorenzo Bianconi <lorenzo@...nel.org>
Cc: netdev@...r.kernel.org, bpf@...r.kernel.org, davem@...emloft.net,
ast@...nel.org, brouer@...hat.com, toke@...hat.com,
lorenzo.bianconi@...hat.com, dsahern@...nel.org,
andrii.nakryiko@...il.com
Subject: Re: [PATCH v5 bpf-next 5/9] bpf: cpumap: add the possibility to
attach an eBPF program to cpumap
On 7/3/20 10:48 PM, Lorenzo Bianconi wrote:
>> On 6/30/20 2:49 PM, Lorenzo Bianconi wrote:
>> [...]
>
> [...]
>
>>> old_rcpu = xchg(&cmap->cpu_map[key_cpu], rcpu);
>>> if (old_rcpu) {
>>> + if (old_rcpu->prog)
>>> + bpf_prog_put(old_rcpu->prog);
>>> call_rcu(&old_rcpu->rcu, __cpu_map_entry_free);
>>> INIT_WORK(&old_rcpu->kthread_stop_wq, cpu_map_kthread_stop);
>>> schedule_work(&old_rcpu->kthread_stop_wq);
>>
>> Hm, not quite sure I follow the logic here. Why is the bpf_prog_put() not placed inside
>> __cpu_map_entry_free(), for example? Wouldn't this at least leave a potential small race
>> window of UAF given the rest is still live? If we already piggy-back from RCU side on
>> rcpu entry, why not having it in __cpu_map_entry_free()?
>
> ack right, thanks for spotting this issue. I guess we can even move
> "bpf_prog_put(rcpu->prog)" in put_cpu_map_entry() so the last consumer
> of bpf_cpu_map_entry will free the attached program. Agree?
Yes, that sounds reasonable to me.
Thanks,
Daniel
Powered by blists - more mailing lists