lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 7 Sep 2020 16:21:17 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Alexei Starovoitov <alexei.starovoitov@...il.com>,
        Andrii Nakryiko <andrii.nakryiko@...il.com>
Cc:     Yonghong Song <yhs@...com>, bpf <bpf@...r.kernel.org>,
        Networking <netdev@...r.kernel.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Kernel Team <kernel-team@...com>
Subject: Re: [PATCH bpf-next 1/2] bpf: permit map_ptr arithmetic with opcode
 add and offset 0

On 9/5/20 2:10 AM, Alexei Starovoitov wrote:
> On Fri, Sep 4, 2020 at 5:08 PM Andrii Nakryiko
> <andrii.nakryiko@...il.com> wrote:
>> On Fri, Sep 4, 2020 at 4:20 PM Yonghong Song <yhs@...com> wrote:
[...]
>>> for scalar constant, reg->var_off.mask should be 0. so we will have
>>> reg->smin_value = reg->smax_value = (s64)reg->var_off.value.
>>>
>>> The smin_val is also used below, e.g., BPF_ADD, for a known value.
>>> That is why I am using smin_val here.
>>>
>>> Will add a comment and submit v2.
>>
>> it would be way-way more obvious (and reliable in the long run,
>> probably) if you just used (known && reg->var_off.value == 0). or just
>> tnum_equals_const(reg->var_off, 0)?
> 
> Pls dont. smin_val == 0 is a standard way to do this.
> Just check all other places in this function and everywhere else.

Also, we taint the reg earlier in that function if its known and min != max:

         if ((known && (smin_val != smax_val || umin_val != umax_val)) ||
             smin_val > smax_val || umin_val > umax_val) {
                 /* Taint dst register if offset had invalid bounds derived from
                  * e.g. dead branches.
                  */
                 __mark_reg_unknown(env, dst_reg);
                 return 0;
         }

Powered by blists - more mailing lists