lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Apr 2022 12:49:58 -0700 From: Andrii Nakryiko <andrii.nakryiko@...il.com> To: Tadeusz Struk <tadeusz.struk@...aro.org> Cc: bpf <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <kafai@...com>, Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>, John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, Networking <netdev@...r.kernel.org>, linux- stable <stable@...r.kernel.org>, open list <linux-kernel@...r.kernel.org>, syzbot+f264bffdfbd5614f3bb2@...kaller.appspotmail.com Subject: Re: [PATCH] bpf: Fix KASAN use-after-free Read in compute_effective_progs On Wed, Apr 13, 2022 at 12:27 PM Tadeusz Struk <tadeusz.struk@...aro.org> wrote: > > On 4/13/22 12:07, Andrii Nakryiko wrote: > >> it would be ideal if detach would never fail, but it would require some kind of > >> prealloc, on attach maybe? Another option would be to minimize the probability > > We allocate new arrays in update_effective_progs() under assumption > > that we might need to grow the array because we use > > update_effective_progs() for attachment. But for detachment we know > > that we definitely don't need to increase the size, we need to remove > > existing element only, thus shrinking the size. > > > > Normally we'd reallocate the array to shrink it (and that's why we use > > update_effective_progs() and allocate memory), but we can also have a > > fallback path for detachment only to reuse existing effective arrays > > and just shift all the elements to the right from the element that's > > being removed. We'll leave NULL at the end, but that's much better > > than error out. Subsequent attachment or detachment will attempt to > > properly size and reallocate everything. > > > > So I think that should be the fix, if you'd be willing to work on it. > > That makes it much easier then. I will change it so that there is no > alloc needed on the detach path. Thanks for the clarification. Keep in mind that we probably want to do normal alloc-based detach first anyways, if it works. It will keep effective arrays minimally sized. This additional detach specific logic should be a fall back path if the normal way doesn't work. > > -- > Thanks, > Tadeusz
Powered by blists - more mailing lists