| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Feb 2021 10:42:47 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: Steven Rostedt <rostedt@...dmis.org>,
Ingo Molnar <mingo@...hat.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, andrii@...nel.org,
Martin KaFai Lau <kafai@...com>,
David Miller <davem@...emloft.net>, kpsingh@...nel.org,
John Fastabend <john.fastabend@...il.com>,
netdev <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: extended bpf_send_signal_thread with argument
On Mon, Feb 1, 2021 at 10:22 AM Peter Zijlstra <peterz@...radead.org> wrote:
>
> On Sun, Jan 31, 2021 at 12:14:02PM +0100, Dmitry Vyukov wrote:
> > Hi,
> >
> > I would like to send a signal from a bpf program invoked from a
> > perf_event. There is:
>
> You can't. Sending signals requires sighand lock, and you're not allowed
> to take locks from perf_event context.
Then we just found a vulnerability because there is
bpf_send_signal_thread which can be attached to perf and it passes the
verifier :)
https://elixir.bootlin.com/linux/v5.11-rc5/source/kernel/trace/bpf_trace.c#L1145
It can defer sending the signal to the exit of irq context:
https://elixir.bootlin.com/linux/v5.11-rc5/source/kernel/trace/bpf_trace.c#L1108
Perhaps this is what makes it work?
Powered by blists - more mailing lists