lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 22 Jul 2020 22:14:18 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Maciej Fijalkowski <maciej.fijalkowski@...el.com>
Cc:     ast@...nel.org, bpf@...r.kernel.org, netdev@...r.kernel.org,
        bjorn.topel@...el.com, magnus.karlsson@...el.com
Subject: Re: [PATCH v2 bpf-next 2/6] bpf: propagate poke descriptors to
 subprograms

On 7/22/20 8:37 PM, Maciej Fijalkowski wrote:
> On Wed, Jul 22, 2020 at 04:40:42PM +0200, Daniel Borkmann wrote:
>> On 7/21/20 1:53 PM, Maciej Fijalkowski wrote:
>>> Previously, there was no need for poke descriptors being present in
>>> subprogram's bpf_prog_aux struct since tailcalls were simply not allowed
>>> in them. Each subprog is JITed independently so in order to enable
>>> JITing such subprograms, simply copy poke descriptors from main program
>>> to subprogram's poke tab.
>>>
>>> Add also subprog's aux struct to the BPF map poke_progs list by calling
>>> on it map_poke_track().
>>>
>>> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@...el.com>
>>> ---
>>>    kernel/bpf/verifier.c | 20 ++++++++++++++++++++
>>>    1 file changed, 20 insertions(+)
>>>
>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>>> index 3c1efc9d08fd..3428edf85220 100644
>>> --- a/kernel/bpf/verifier.c
>>> +++ b/kernel/bpf/verifier.c
>>> @@ -9936,6 +9936,9 @@ static int jit_subprogs(struct bpf_verifier_env *env)
>>>    		goto out_undo_insn;
>>>    	for (i = 0; i < env->subprog_cnt; i++) {
>>> +		struct bpf_map *map_ptr;
>>> +		int j;
>>> +
>>>    		subprog_start = subprog_end;
>>>    		subprog_end = env->subprog_info[i + 1].start;
>>> @@ -9960,6 +9963,23 @@ static int jit_subprogs(struct bpf_verifier_env *env)
>>>    		func[i]->aux->btf = prog->aux->btf;
>>>    		func[i]->aux->func_info = prog->aux->func_info;
>>> +		for (j = 0; j < prog->aux->size_poke_tab; j++) {
>>> +			int ret;
>>> +
>>> +			ret = bpf_jit_add_poke_descriptor(func[i],
>>> +							  &prog->aux->poke_tab[j]);
>>> +			if (ret < 0) {
>>> +				verbose(env, "adding tail call poke descriptor failed\n");
>>> +				goto out_free;
>>> +			}
>>> +			map_ptr = func[i]->aux->poke_tab[j].tail_call.map;
>>> +			ret = map_ptr->ops->map_poke_track(map_ptr, func[i]->aux);
>>> +			if (ret < 0) {
>>> +				verbose(env, "tracking tail call prog failed\n");
>>> +				goto out_free;
>>> +			}
>>
>> Hmm, I don't think this is correct/complete. If some of these have been registered or
>> if later on the JIT'ing fails but the subprog is already exposed to the prog array then
>> it's /public/ at this point, so a later bpf_jit_free() in out_free will rip them mem
>> while doing live patching on prog updates leading to UAF.
> 
> Ugh. So if we would precede the out_free label with map_poke_untrack() on error
> path - would that be sufficient?

Yes that would be needed and should be sufficient since tracking/untracking/patching is
synchronized under the map's poke mutex lock.

>>> +		}
>>> +
>>>    		/* Use bpf_prog_F_tag to indicate functions in stack traces.
>>>    		 * Long term would need debug info to populate names
>>>    		 */
>>>
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ