From: David Miller <davem@davemloft.net>
To: daniel@iogearbox.net
Cc: ast@kernel.org, dvyukov@google.com, kcc@google.com,
glider@google.com, edumazet@google.com, sasha.levin@oracle.com,
syzkaller@googlegroups.com, netdev@vger.kernel.org
Subject: Re: [PATCH net] bpf, array: fix heap out-of-bounds access when updating elements
Date: Tue, 01 Dec 2015 21:57:36 -0500 (EST) [thread overview]
Message-ID: <20151201.215736.672943879522319005.davem@davemloft.net> (raw)
In-Reply-To: <674d6a1d4ff0e7728e535dc2d8fe1c5bea1e50b0.1448883657.git.daniel@iogearbox.net>
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Mon, 30 Nov 2015 13:02:55 +0100
> During own review but also reported by Dmitry's syzkaller [1] it has been
> noticed that we trigger a heap out-of-bounds access on eBPF array maps
> when updating elements. This happens with each map whose map->value_size
> (specified during map creation time) is not multiple of 8 bytes.
>
> In array_map_alloc(), elem_size is round_up(attr->value_size, 8) and
> used to align array map slots for faster access. However, in function
> array_map_update_elem(), we update the element as ...
>
> memcpy(array->value + array->elem_size * index, value, array->elem_size);
>
> ... where we access 'value' out-of-bounds, since it was allocated from
> map_update_elem() from syscall side as kmalloc(map->value_size, GFP_USER)
> and later on copied through copy_from_user(value, uvalue, map->value_size).
> Thus, up to 7 bytes, we can access out-of-bounds.
>
> Same could happen from within an eBPF program, where in worst case we
> access beyond an eBPF program's designated stack.
>
> Since 1be7f75d1668 ("bpf: enable non-root eBPF programs") didn't hit an
> official release yet, it only affects priviledged users.
>
> In case of array_map_lookup_elem(), the verifier prevents eBPF programs
> from accessing beyond map->value_size through check_map_access(). Also
> from syscall side map_lookup_elem() only copies map->value_size back to
> user, so nothing could leak.
>
> [1] http://github.com/google/syzkaller
>
> Fixes: 28fbcfa08d8e ("bpf: add array type of eBPF maps")
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Applied, thanks.
prev parent reply other threads:[~2015-12-02 2:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-30 12:02 [PATCH net] bpf, array: fix heap out-of-bounds access when updating elements Daniel Borkmann
2015-11-30 18:29 ` Alexei Starovoitov
2015-12-01 9:38 ` Dmitry Vyukov
2015-12-01 10:30 ` Daniel Borkmann
2015-12-03 17:21 ` Dmitry Vyukov
2015-12-02 2:57 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151201.215736.672943879522319005.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=netdev@vger.kernel.org \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).