[PATCH 03/26] bpfilter: reject kernel addresses

public inbox for dccp@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 03/26] bpfilter: reject kernel addresses
@ 2020-07-23  6:08 Christoph Hellwig
  2020-07-23 14:42 ` David Laight
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Christoph Hellwig @ 2020-07-23  6:08 UTC (permalink / raw)
  To: dccp

The bpfilter user mode helper processes the optval address using
process_vm_readv.  Don't send it kernel addresses fed under
set_fs(KERNEL_DS) as that won't work.

Signed-off-by: Christoph Hellwig <hch@lst.de>
---
 net/bpfilter/bpfilter_kern.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/bpfilter/bpfilter_kern.c b/net/bpfilter/bpfilter_kern.c
index 78d561f2c54da7..00540457e5f4d3 100644
--- a/net/bpfilter/bpfilter_kern.c
+++ b/net/bpfilter/bpfilter_kern.c
@@ -70,6 +70,10 @@ static int bpfilter_process_sockopt(struct sock *sk, int optname,
 		.addr		= (uintptr_t)optval,
 		.len		= optlen,
 	};
+	if (uaccess_kernel()) {
+		pr_err("kernel access not supported\n");
+		return -EFAULT;
+	}
 	return bpfilter_send_req(&req);
 }
 
-- 
2.27.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: [PATCH 03/26] bpfilter: reject kernel addresses
  2020-07-23  6:08 [PATCH 03/26] bpfilter: reject kernel addresses Christoph Hellwig
@ 2020-07-23 14:42 ` David Laight
  2020-07-23 14:44 ` 'Christoph Hellwig'
  2020-07-23 14:56 ` David Laight
  2 siblings, 0 replies; 4+ messages in thread
From: David Laight @ 2020-07-23 14:42 UTC (permalink / raw)
  To: dccp

From: Christoph Hellwig
> Sent: 23 July 2020 07:09
> 
> The bpfilter user mode helper processes the optval address using
> process_vm_readv.  Don't send it kernel addresses fed under
> set_fs(KERNEL_DS) as that won't work.

What sort of operations is the bpf filter doing on the sockopt buffers?

Any attempts to reject some requests can be thwarted by a second
application thread modifying the buffer after the bpf filter has
checked that it allowed.

You can't do security by reading a user buffer twice.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 03/26] bpfilter: reject kernel addresses
  2020-07-23  6:08 [PATCH 03/26] bpfilter: reject kernel addresses Christoph Hellwig
  2020-07-23 14:42 ` David Laight
@ 2020-07-23 14:44 ` 'Christoph Hellwig'
  2020-07-23 14:56 ` David Laight
  2 siblings, 0 replies; 4+ messages in thread
From: 'Christoph Hellwig' @ 2020-07-23 14:44 UTC (permalink / raw)
  To: dccp

On Thu, Jul 23, 2020 at 02:42:11PM +0000, David Laight wrote:
> From: Christoph Hellwig
> > Sent: 23 July 2020 07:09
> > 
> > The bpfilter user mode helper processes the optval address using
> > process_vm_readv.  Don't send it kernel addresses fed under
> > set_fs(KERNEL_DS) as that won't work.
> 
> What sort of operations is the bpf filter doing on the sockopt buffers?
> 
> Any attempts to reject some requests can be thwarted by a second
> application thread modifying the buffer after the bpf filter has
> checked that it allowed.
> 
> You can't do security by reading a user buffer twice.

I'm not saying that I approve of the design, but the current bpfilter
design uses process_vm_readv to access the buffer, which obviously does
not work with kernel buffers.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: [PATCH 03/26] bpfilter: reject kernel addresses
  2020-07-23  6:08 [PATCH 03/26] bpfilter: reject kernel addresses Christoph Hellwig
  2020-07-23 14:42 ` David Laight
  2020-07-23 14:44 ` 'Christoph Hellwig'
@ 2020-07-23 14:56 ` David Laight
  2 siblings, 0 replies; 4+ messages in thread
From: David Laight @ 2020-07-23 14:56 UTC (permalink / raw)
  To: dccp

From: 'Christoph Hellwig'
> Sent: 23 July 2020 15:45
> 
> On Thu, Jul 23, 2020 at 02:42:11PM +0000, David Laight wrote:
> > From: Christoph Hellwig
> > > Sent: 23 July 2020 07:09
> > >
> > > The bpfilter user mode helper processes the optval address using
> > > process_vm_readv.  Don't send it kernel addresses fed under
> > > set_fs(KERNEL_DS) as that won't work.
> >
> > What sort of operations is the bpf filter doing on the sockopt buffers?
> >
> > Any attempts to reject some requests can be thwarted by a second
> > application thread modifying the buffer after the bpf filter has
> > checked that it allowed.
> >
> > You can't do security by reading a user buffer twice.
> 
> I'm not saying that I approve of the design, but the current bpfilter
> design uses process_vm_readv to access the buffer, which obviously does
> not work with kernel buffers.

Is this a different bit of bpf that that which used to directly
intercept setsockopt() requests and pass them down from a kernel buffer?

I can't held feeling that bpf is getting 'too big for its boots' and
will have a local-user privilege escalation hiding in it somewhere.

I've had to fix my 'out of tree' driver to remove the [sg]etsockopt()
calls. Some of the replacements will go badly wrong if I've accidentally
lost track of the socket type.
I do have a daemon process sleeping in the driver - so I can wake it up
and make the requests from it with a user buffer.
I may have to implement that to get the negotiated number of 'ostreams'
to an SCTP connection.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-07-23 14:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-07-23  6:08 [PATCH 03/26] bpfilter: reject kernel addresses Christoph Hellwig
2020-07-23 14:42 ` David Laight
2020-07-23 14:44 ` 'Christoph Hellwig'
2020-07-23 14:56 ` David Laight

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox