lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 19 Jul 2021 09:48:48 +0100
From:   Lorenz Bauer <lmb@...udflare.com>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     Andrii Nakryiko <andrii.nakryiko@...il.com>,
        Alexei Starovoitov <ast@...nel.org>,
        Andrii Nakryiko <andrii@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Jesper Dangaard Brouer <hawk@...nel.org>,
        John Fastabend <john.fastabend@...il.com>,
        kernel-team <kernel-team@...udflare.com>,
        Andrii Nakryiko <andriin@...com>,
        Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
        open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf] bpf: fix OOB read when printing XDP link fdinfo

On Fri, 16 Jul 2021 at 22:01, Daniel Borkmann <daniel@...earbox.net> wrote:
>
> On 7/16/21 10:43 PM, Andrii Nakryiko wrote:
> > On Fri, Jul 16, 2021 at 3:05 AM Lorenz Bauer <lmb@...udflare.com> wrote:
> >>
> >> We got the following UBSAN report on one of our testing machines:
> >>
> >>      ================================================================================
> >>      UBSAN: array-index-out-of-bounds in kernel/bpf/syscall.c:2389:24
> >>      index 6 is out of range for type 'char *[6]'
> >>      CPU: 43 PID: 930921 Comm: systemd-coredum Tainted: G           O      5.10.48-cloudflare-kasan-2021.7.0 #1
> >>      Hardware name: <snip>
> >>      Call Trace:
> >>       dump_stack+0x7d/0xa3
> >>       ubsan_epilogue+0x5/0x40
> >>       __ubsan_handle_out_of_bounds.cold+0x43/0x48
> >>       ? seq_printf+0x17d/0x250
> >>       bpf_link_show_fdinfo+0x329/0x380
> >>       ? bpf_map_value_size+0xe0/0xe0
> >>       ? put_files_struct+0x20/0x2d0
> >>       ? __kasan_kmalloc.constprop.0+0xc2/0xd0
> >>       seq_show+0x3f7/0x540
> >>       seq_read_iter+0x3f8/0x1040
> >>       seq_read+0x329/0x500
> >>       ? seq_read_iter+0x1040/0x1040
> >>       ? __fsnotify_parent+0x80/0x820
> >>       ? __fsnotify_update_child_dentry_flags+0x380/0x380
> >>       vfs_read+0x123/0x460
> >>       ksys_read+0xed/0x1c0
> >>       ? __x64_sys_pwrite64+0x1f0/0x1f0
> >>       do_syscall_64+0x33/0x40
> >>       entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >>      <snip>
> >>      ================================================================================
> >>      ================================================================================
> >>      UBSAN: object-size-mismatch in kernel/bpf/syscall.c:2384:2
> >>
> >>  From the report, we can infer that some array access in bpf_link_show_fdinfo at index 6
> >> is out of bounds. The obvious candidate is bpf_link_type_strs[BPF_LINK_TYPE_XDP] with
> >> BPF_LINK_TYPE_XDP == 6. It turns out that BPF_LINK_TYPE_XDP is missing from bpf_types.h
> >> and therefore doesn't have an entry in bpf_link_type_strs:
> >>
> >>      pos:        0
> >>      flags:      02000000
> >>      mnt_id:     13
> >>      link_type:  (null)
> >>      link_id:    4
> >>      prog_tag:   bcf7977d3b93787c
> >>      prog_id:    4
> >>      ifindex:    1
> >>
> >> Fixes: aa8d3a716b59 ("bpf, xdp: Add bpf_link-based XDP attachment API")
> >> Signed-off-by: Lorenz Bauer <lmb@...udflare.com>
> >> ---
> >
> > Well, oops. Thanks for the fix!
> >
> > Acked-by: Andrii Nakryiko <andrii@...nel.org>
> >
> > It would be great to have a compilation error for something like this.
> > I wonder if we can do something to detect this going forward?
> >
> >>   include/linux/bpf_types.h | 1 +
> >>   1 file changed, 1 insertion(+)
> >>
> >> diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h
> >> index a9db1eae6796..be95f2722ad9 100644
> >> --- a/include/linux/bpf_types.h
> >> +++ b/include/linux/bpf_types.h
> >> @@ -135,3 +135,4 @@ BPF_LINK_TYPE(BPF_LINK_TYPE_ITER, iter)
> >>   #ifdef CONFIG_NET
> >>   BPF_LINK_TYPE(BPF_LINK_TYPE_NETNS, netns)
> >>   #endif
> >> +BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp)
>
> Lorenz, does this compile when you don't have CONFIG_NET configured? I would assume
> this needs to go right below the netns one depending on CONFIG_NET.. at least the
> bpf_xdp_link_lops are in net/core/dev.c which is only built under CONFIG_NET.

It does compile, since the only use of the macro is to stringify a
link type for fdinfo. I'll move it into CONFIG_NET to be consistent
with netdev though.

-- 
Lorenz Bauer  |  Systems Engineer
6th Floor, County Hall/The Riverside Building, SE1 7PB, UK

www.cloudflare.com

Powered by blists - more mailing lists