lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20220309123321.2400262-1-houtao1@huawei.com>
Date:   Wed, 9 Mar 2022 20:33:17 +0800
From:   Hou Tao <houtao1@...wei.com>
To:     Alexei Starovoitov <ast@...nel.org>
CC:     Martin KaFai Lau <kafai@...com>, Song Liu <songliubraving@...com>,
        John Fastabend <john.fastabend@...il.com>,
        Yonghong Song <yhs@...com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>,
        "David S . Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        KP Singh <kpsingh@...nel.org>, <netdev@...r.kernel.org>,
        <bpf@...r.kernel.org>, <houtao1@...wei.com>
Subject: [PATCH bpf-next 0/4] fixes for bpf_jit_harden race

Hi,

Now bpf_jit_harden will be tested twice for each subprog if there are
subprogs in bpf program and constant blinding may increase the length of
program, so when running "./test_progs -t subprogs" and toggling
bpf_jit_harden between 0 and 2, extra pass in bpf_int_jit_compile() may
fail because constant blinding increases the length of subprog and
the length is mismatched with the first pass.

The failure uncovers several issues in error handling of jit_subprogs()
and bpf_int_jit_compile():
(1) jit_subprogs() continues even when extra pass for one subprogs fails
It may leads to oops during to UAF. Fixed in patch #1.

(2) jit_subprogs() doesn't do proper cleanup for other subprogs which
    have not went through the extra pass.
It will lead to oops and memory leak. Fixed in patch #2. Other arch JIT
may have the same problem, and will fix later if the proposed fix for
x86-64 is accepted.

(3) bpf_int_jit_compile() may fail due to inconsistent twice read values
    from bpf_jit_harden
Fixed in patch #3 by caching the value of bpf_jit_blinding_enabled().

Patch #4 just adds a test to ensure these problem are fixed.

Comments and suggestions are welcome.

Regards,
Tao

Hou Tao (4):
  bpf, x86: Fall back to interpreter mode when extra pass fails
  bpf: Introduce bpf_int_jit_abort()
  bpf: Fix net.core.bpf_jit_harden race
  selftests/bpf: Test subprog jit when toggle bpf_jit_harden repeatedly

 arch/x86/net/bpf_jit_comp.c                   | 35 ++++++++-
 include/linux/filter.h                        |  2 +
 kernel/bpf/core.c                             | 12 ++-
 kernel/bpf/verifier.c                         |  8 +-
 .../selftests/bpf/prog_tests/subprogs.c       | 77 ++++++++++++++++---
 5 files changed, 120 insertions(+), 14 deletions(-)

-- 
2.29.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ