* [PATCH] net: filter: fix upper BPF instruction limit
@ 2014-06-18 22:34 Kees Cook
  2014-06-18 22:43 ` Daniel Borkmann
                   ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Kees Cook @ 2014-06-18 22:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: David S. Miller, Alexei Starovoitov, Daniel Borkmann,
	Eric Dumazet, Chema Gonzalez, netdev
The original checks (via sk_chk_filter) for instruction count uses ">",
not ">=", so changing this in sk_convert_filter has the potential to break
existing seccomp filters that used exactly BPF_MAXINSNS many instructions.
Fixes: bd4cf0ed331a ("net: filter: rework/optimize internal BPF interpreter's instruction set")
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org # v3.15+
---
 net/core/filter.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 735fad897496..a44e12cdde4c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -840,7 +840,7 @@ int sk_convert_filter(struct sock_filter *prog, int len,
 	BUILD_BUG_ON(BPF_MEMWORDS * sizeof(u32) > MAX_BPF_STACK);
 	BUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG);
 
-	if (len <= 0 || len >= BPF_MAXINSNS)
+	if (len <= 0 || len > BPF_MAXINSNS)
 		return -EINVAL;
 
 	if (new_prog) {
-- 
1.7.9.5
-- 
Kees Cook
Chrome OS Security
^ permalink raw reply related	[flat|nested] 10+ messages in thread
* Re: [PATCH] net: filter: fix upper BPF instruction limit
  2014-06-18 22:34 [PATCH] net: filter: fix upper BPF instruction limit Kees Cook
@ 2014-06-18 22:43 ` Daniel Borkmann
  2014-06-18 22:48 ` Alexei Starovoitov
  2014-06-19  0:05 ` David Miller
  2 siblings, 0 replies; 10+ messages in thread
From: Daniel Borkmann @ 2014-06-18 22:43 UTC (permalink / raw)
  To: Kees Cook
  Cc: linux-kernel, David S. Miller, Alexei Starovoitov, Eric Dumazet,
	Chema Gonzalez, netdev
On 06/19/2014 12:34 AM, Kees Cook wrote:
> The original checks (via sk_chk_filter) for instruction count uses ">",
> not ">=", so changing this in sk_convert_filter has the potential to break
> existing seccomp filters that used exactly BPF_MAXINSNS many instructions.
>
> Fixes: bd4cf0ed331a ("net: filter: rework/optimize internal BPF interpreter's instruction set")
> Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] net: filter: fix upper BPF instruction limit
  2014-06-18 22:34 [PATCH] net: filter: fix upper BPF instruction limit Kees Cook
  2014-06-18 22:43 ` Daniel Borkmann
@ 2014-06-18 22:48 ` Alexei Starovoitov
  2014-06-18 22:55   ` Kees Cook
  2014-06-19  0:05 ` David Miller
  2 siblings, 1 reply; 10+ messages in thread
From: Alexei Starovoitov @ 2014-06-18 22:48 UTC (permalink / raw)
  To: Kees Cook
  Cc: LKML, David S. Miller, Daniel Borkmann, Eric Dumazet,
	Chema Gonzalez, Network Development
On Wed, Jun 18, 2014 at 3:34 PM, Kees Cook <keescook@chromium.org> wrote:
> The original checks (via sk_chk_filter) for instruction count uses ">",
> not ">=", so changing this in sk_convert_filter has the potential to break
> existing seccomp filters that used exactly BPF_MAXINSNS many instructions.
>
> Fixes: bd4cf0ed331a ("net: filter: rework/optimize internal BPF interpreter's instruction set")
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Cc: stable@vger.kernel.org # v3.15+
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
I wonder how did you catch this? :)
Just code inspection or seccomp actually generating such programs?
Thanks!
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] net: filter: fix upper BPF instruction limit
  2014-06-18 22:48 ` Alexei Starovoitov
@ 2014-06-18 22:55   ` Kees Cook
  2014-06-18 23:19     ` Alexei Starovoitov
  0 siblings, 1 reply; 10+ messages in thread
From: Kees Cook @ 2014-06-18 22:55 UTC (permalink / raw)
  To: Alexei Starovoitov
  Cc: LKML, David S. Miller, Daniel Borkmann, Eric Dumazet,
	Chema Gonzalez, Network Development
On Wed, Jun 18, 2014 at 3:48 PM, Alexei Starovoitov <ast@plumgrid.com> wrote:
> On Wed, Jun 18, 2014 at 3:34 PM, Kees Cook <keescook@chromium.org> wrote:
>> The original checks (via sk_chk_filter) for instruction count uses ">",
>> not ">=", so changing this in sk_convert_filter has the potential to break
>> existing seccomp filters that used exactly BPF_MAXINSNS many instructions.
>>
>> Fixes: bd4cf0ed331a ("net: filter: rework/optimize internal BPF interpreter's instruction set")
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> Cc: stable@vger.kernel.org # v3.15+
>
> Acked-by: Alexei Starovoitov <ast@plumgrid.com>
>
> I wonder how did you catch this? :)
> Just code inspection or seccomp actually generating such programs?
In the process of merging my seccomp thread-sync series back with
mainline, I got uncomfortable that I was moving filter size validation
around without actually testing it. When I added it, I was happy that
my series was correctly checking size limits, but then discovered my
newly added check actually failed on an earlier kernel (3.2). Tracking
it down found the corner case under 3.15.
Here's the test I added to the seccomp regression tests, if you're interested:
https://github.com/kees/seccomp/commit/794d54a340cde70a3bdf7fe0ade1f95d160b2883
-Kees
-- 
Kees Cook
Chrome OS Security
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] net: filter: fix upper BPF instruction limit
  2014-06-18 22:55   ` Kees Cook
@ 2014-06-18 23:19     ` Alexei Starovoitov
  2014-06-18 23:28       ` Kees Cook
  0 siblings, 1 reply; 10+ messages in thread
From: Alexei Starovoitov @ 2014-06-18 23:19 UTC (permalink / raw)
  To: Kees Cook
  Cc: LKML, David S. Miller, Daniel Borkmann, Eric Dumazet,
	Chema Gonzalez, Network Development
On Wed, Jun 18, 2014 at 3:55 PM, Kees Cook <keescook@chromium.org> wrote:
> On Wed, Jun 18, 2014 at 3:48 PM, Alexei Starovoitov <ast@plumgrid.com> wrote:
>> On Wed, Jun 18, 2014 at 3:34 PM, Kees Cook <keescook@chromium.org> wrote:
>>> The original checks (via sk_chk_filter) for instruction count uses ">",
>>> not ">=", so changing this in sk_convert_filter has the potential to break
>>> existing seccomp filters that used exactly BPF_MAXINSNS many instructions.
>>>
>>> Fixes: bd4cf0ed331a ("net: filter: rework/optimize internal BPF interpreter's instruction set")
>>> Signed-off-by: Kees Cook <keescook@chromium.org>
>>> Cc: stable@vger.kernel.org # v3.15+
>>
>> Acked-by: Alexei Starovoitov <ast@plumgrid.com>
>>
>> I wonder how did you catch this? :)
>> Just code inspection or seccomp actually generating such programs?
>
> In the process of merging my seccomp thread-sync series back with
> mainline, I got uncomfortable that I was moving filter size validation
> around without actually testing it. When I added it, I was happy that
> my series was correctly checking size limits, but then discovered my
> newly added check actually failed on an earlier kernel (3.2). Tracking
> it down found the corner case under 3.15.
>
> Here's the test I added to the seccomp regression tests, if you're interested:
> https://github.com/kees/seccomp/commit/794d54a340cde70a3bdf7fe0ade1f95d160b2883
Nice. I'm assuming https://github.com/redpig/seccomp is still the main tree
for seccomp testsuite…
btw I've tried to add 'real' test to it (one generated by chrome)
+TEST(chrome_syscalls) {
+       static struct sock_filter filter[] = {
+               { 32, 240, 61, 4 },          /* 0:      ld [4] */
+               { 21, 1, 0, -1073741762 },   /* 1:      jeq #0xc000003e, 3, 2 */
+               { 5, 0, 0, 271 },            /* 2:      ja 274 */
+               { 32, 208, 198, 0 },         /* 3:      ld [0] */
+               { 69, 0, 1, 1073741824 },    /* 4:      jset
#0x40000000, 5, 6 */
+               { 6, 0, 0, 196615 },         /* 5:      ret #0x30007 */
+               { 53, 0, 7, 121 },           /* 6:      jge #0x79, 7, 14 */
+               { 53, 0, 12, 214 },          /* 7:      jge #0xd6, 8, 20 */
…
+               { 6, 0, 0, 2147418112 },     /* 272:    ret #0x7fff0000 */
+               { 6, 0, 0, 327681 },         /* 273:    ret #0x50001 */
+               { 6, 0, 0, 196610 },         /* 274:    ret #0x30002 */
+       };
...
+       for (i = 0; i < MAX_SYSCALLS; i++) {
+               ch_pid = fork();
+               ASSERT_LE(0, ch_pid);
+
+               if (ch_pid == 0) {
+                       ret = prctl(PR_SET_SECCOMP,
+                              SECCOMP_MODE_FILTER, &prog);
+                       ASSERT_EQ(0, ret);
+#define MAGIC (-1ll << 2)
+                       err = syscall(i, MAGIC, MAGIC, MAGIC,
+                              MAGIC, MAGIC, MAGIC);
+                       syscall(__NR_exit, 0);
+               }
+               wait(&status);
+               if (status != expected_status[i])
…
but it's really x64 only and looks ugly. Do you have better ideas
on how to test all possible paths through auto-generated branch tree?
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] net: filter: fix upper BPF instruction limit
  2014-06-18 23:19     ` Alexei Starovoitov
@ 2014-06-18 23:28       ` Kees Cook
  2014-06-20 10:13         ` Daniel Borkmann
  0 siblings, 1 reply; 10+ messages in thread
From: Kees Cook @ 2014-06-18 23:28 UTC (permalink / raw)
  To: Alexei Starovoitov
  Cc: LKML, David S. Miller, Daniel Borkmann, Eric Dumazet,
	Chema Gonzalez, Network Development
On Wed, Jun 18, 2014 at 4:19 PM, Alexei Starovoitov <ast@plumgrid.com> wrote:
> On Wed, Jun 18, 2014 at 3:55 PM, Kees Cook <keescook@chromium.org> wrote:
>> On Wed, Jun 18, 2014 at 3:48 PM, Alexei Starovoitov <ast@plumgrid.com> wrote:
>>> On Wed, Jun 18, 2014 at 3:34 PM, Kees Cook <keescook@chromium.org> wrote:
>>>> The original checks (via sk_chk_filter) for instruction count uses ">",
>>>> not ">=", so changing this in sk_convert_filter has the potential to break
>>>> existing seccomp filters that used exactly BPF_MAXINSNS many instructions.
>>>>
>>>> Fixes: bd4cf0ed331a ("net: filter: rework/optimize internal BPF interpreter's instruction set")
>>>> Signed-off-by: Kees Cook <keescook@chromium.org>
>>>> Cc: stable@vger.kernel.org # v3.15+
>>>
>>> Acked-by: Alexei Starovoitov <ast@plumgrid.com>
>>>
>>> I wonder how did you catch this? :)
>>> Just code inspection or seccomp actually generating such programs?
>>
>> In the process of merging my seccomp thread-sync series back with
>> mainline, I got uncomfortable that I was moving filter size validation
>> around without actually testing it. When I added it, I was happy that
>> my series was correctly checking size limits, but then discovered my
>> newly added check actually failed on an earlier kernel (3.2). Tracking
>> it down found the corner case under 3.15.
>>
>> Here's the test I added to the seccomp regression tests, if you're interested:
>> https://github.com/kees/seccomp/commit/794d54a340cde70a3bdf7fe0ade1f95d160b2883
>
> Nice. I'm assuming https://github.com/redpig/seccomp is still the main tree
> for seccomp testsuite…
Yes. Will hasn't pulled this most recent set of changes.
>
> btw I've tried to add 'real' test to it (one generated by chrome)
>
> +TEST(chrome_syscalls) {
> +       static struct sock_filter filter[] = {
> +               { 32, 240, 61, 4 },          /* 0:      ld [4] */
> +               { 21, 1, 0, -1073741762 },   /* 1:      jeq #0xc000003e, 3, 2 */
> +               { 5, 0, 0, 271 },            /* 2:      ja 274 */
> +               { 32, 208, 198, 0 },         /* 3:      ld [0] */
> +               { 69, 0, 1, 1073741824 },    /* 4:      jset
> #0x40000000, 5, 6 */
> +               { 6, 0, 0, 196615 },         /* 5:      ret #0x30007 */
> +               { 53, 0, 7, 121 },           /* 6:      jge #0x79, 7, 14 */
> +               { 53, 0, 12, 214 },          /* 7:      jge #0xd6, 8, 20 */
> …
> +               { 6, 0, 0, 2147418112 },     /* 272:    ret #0x7fff0000 */
> +               { 6, 0, 0, 327681 },         /* 273:    ret #0x50001 */
> +               { 6, 0, 0, 196610 },         /* 274:    ret #0x30002 */
> +       };
> ...
> +       for (i = 0; i < MAX_SYSCALLS; i++) {
> +               ch_pid = fork();
> +               ASSERT_LE(0, ch_pid);
> +
> +               if (ch_pid == 0) {
> +                       ret = prctl(PR_SET_SECCOMP,
> +                              SECCOMP_MODE_FILTER, &prog);
> +                       ASSERT_EQ(0, ret);
> +#define MAGIC (-1ll << 2)
> +                       err = syscall(i, MAGIC, MAGIC, MAGIC,
> +                              MAGIC, MAGIC, MAGIC);
> +                       syscall(__NR_exit, 0);
> +               }
> +               wait(&status);
> +               if (status != expected_status[i])
> …
>
> but it's really x64 only and looks ugly. Do you have better ideas
> on how to test all possible paths through auto-generated branch tree?
For testing BPF application filter logic itself, I lean on the test
suite in libseccomp, which does a ton of filter generation and
testing. The seccomp regression tests in the github tree tend to focus
on validating the basic behavioral elements (kill, trace, trap, etc).
-Kees
-- 
Kees Cook
Chrome OS Security
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] net: filter: fix upper BPF instruction limit
  2014-06-18 22:34 [PATCH] net: filter: fix upper BPF instruction limit Kees Cook
  2014-06-18 22:43 ` Daniel Borkmann
  2014-06-18 22:48 ` Alexei Starovoitov
@ 2014-06-19  0:05 ` David Miller
  2 siblings, 0 replies; 10+ messages in thread
From: David Miller @ 2014-06-19  0:05 UTC (permalink / raw)
  To: keescook; +Cc: linux-kernel, ast, dborkman, edumazet, chema, netdev
From: Kees Cook <keescook@chromium.org>
Date: Wed, 18 Jun 2014 15:34:57 -0700
> The original checks (via sk_chk_filter) for instruction count uses ">",
> not ">=", so changing this in sk_convert_filter has the potential to break
> existing seccomp filters that used exactly BPF_MAXINSNS many instructions.
> 
> Fixes: bd4cf0ed331a ("net: filter: rework/optimize internal BPF interpreter's instruction set")
> Signed-off-by: Kees Cook <keescook@chromium.org>
Applied, thanks.
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] net: filter: fix upper BPF instruction limit
  2014-06-18 23:28       ` Kees Cook
@ 2014-06-20 10:13         ` Daniel Borkmann
  2014-06-20 16:48           ` Kees Cook
  0 siblings, 1 reply; 10+ messages in thread
From: Daniel Borkmann @ 2014-06-20 10:13 UTC (permalink / raw)
  To: Kees Cook
  Cc: Alexei Starovoitov, LKML, David S. Miller, Eric Dumazet,
	Chema Gonzalez, Network Development
Hi Kees,
On 06/19/2014 01:28 AM, Kees Cook wrote:
> On Wed, Jun 18, 2014 at 4:19 PM, Alexei Starovoitov <ast@plumgrid.com> wrote:
>> On Wed, Jun 18, 2014 at 3:55 PM, Kees Cook <keescook@chromium.org> wrote:
>>> On Wed, Jun 18, 2014 at 3:48 PM, Alexei Starovoitov <ast@plumgrid.com> wrote:
>>>> On Wed, Jun 18, 2014 at 3:34 PM, Kees Cook <keescook@chromium.org> wrote:
...
>>>> I wonder how did you catch this? :)
>>>> Just code inspection or seccomp actually generating such programs?
>>>
>>> In the process of merging my seccomp thread-sync series back with
>>> mainline, I got uncomfortable that I was moving filter size validation
>>> around without actually testing it. When I added it, I was happy that
>>> my series was correctly checking size limits, but then discovered my
>>> newly added check actually failed on an earlier kernel (3.2). Tracking
>>> it down found the corner case under 3.15.
>>>
>>> Here's the test I added to the seccomp regression tests, if you're interested:
>>> https://github.com/kees/seccomp/commit/794d54a340cde70a3bdf7fe0ade1f95d160b2883
>>
>> Nice. I'm assuming https://github.com/redpig/seccomp is still the main tree
>> for seccomp testsuite…
>
> Yes. Will hasn't pulled this most recent set of changes.
We were actually thinking about extending lib/test_bpf module with seccomp
tests, which is possible to a limited extend, but seccomp is also a bit
more than just running a BPF program and making sure results fit.
Are there any plans to put and extend test cases from [1] via user space
side into the kernel self-test directory, i.e. into something like
tools/testing/selftests/seccomp/ so that in future new tests can be added
or run from there? Might be worth to consider.
Thanks,
Daniel
  [1] https://github.com/redpig/seccomp
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] net: filter: fix upper BPF instruction limit
  2014-06-20 10:13         ` Daniel Borkmann
@ 2014-06-20 16:48           ` Kees Cook
  2014-06-20 21:00             ` Daniel Borkmann
  0 siblings, 1 reply; 10+ messages in thread
From: Kees Cook @ 2014-06-20 16:48 UTC (permalink / raw)
  To: Daniel Borkmann
  Cc: Alexei Starovoitov, LKML, David S. Miller, Eric Dumazet,
	Chema Gonzalez, Network Development
On Fri, Jun 20, 2014 at 3:13 AM, Daniel Borkmann <dborkman@redhat.com> wrote:
> Hi Kees,
>
>
> On 06/19/2014 01:28 AM, Kees Cook wrote:
>>
>> On Wed, Jun 18, 2014 at 4:19 PM, Alexei Starovoitov <ast@plumgrid.com>
>> wrote:
>>>
>>> On Wed, Jun 18, 2014 at 3:55 PM, Kees Cook <keescook@chromium.org> wrote:
>>>>
>>>> On Wed, Jun 18, 2014 at 3:48 PM, Alexei Starovoitov <ast@plumgrid.com>
>>>> wrote:
>>>>>
>>>>> On Wed, Jun 18, 2014 at 3:34 PM, Kees Cook <keescook@chromium.org>
>>>>> wrote:
>
> ...
>
>>>>> I wonder how did you catch this? :)
>>>>> Just code inspection or seccomp actually generating such programs?
>>>>
>>>>
>>>> In the process of merging my seccomp thread-sync series back with
>>>> mainline, I got uncomfortable that I was moving filter size validation
>>>> around without actually testing it. When I added it, I was happy that
>>>> my series was correctly checking size limits, but then discovered my
>>>> newly added check actually failed on an earlier kernel (3.2). Tracking
>>>> it down found the corner case under 3.15.
>>>>
>>>> Here's the test I added to the seccomp regression tests, if you're
>>>> interested:
>>>>
>>>> https://github.com/kees/seccomp/commit/794d54a340cde70a3bdf7fe0ade1f95d160b2883
>>>
>>>
>>> Nice. I'm assuming https://github.com/redpig/seccomp is still the main
>>> tree
>>> for seccomp testsuite…
>>
>>
>> Yes. Will hasn't pulled this most recent set of changes.
>
>
> We were actually thinking about extending lib/test_bpf module with seccomp
> tests, which is possible to a limited extend, but seccomp is also a bit
> more than just running a BPF program and making sure results fit.
>
> Are there any plans to put and extend test cases from [1] via user space
> side into the kernel self-test directory, i.e. into something like
> tools/testing/selftests/seccomp/ so that in future new tests can be added
> or run from there? Might be worth to consider.
Yeah, I have this on my TODO list, but we need to juggle relicensing
the test suite (it is currently BSD, not GPLv2). I'll keep chasing
this.
-Kees
>
> Thanks,
>
> Daniel
>
>  [1] https://github.com/redpig/seccomp
-- 
Kees Cook
Chrome OS Security
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] net: filter: fix upper BPF instruction limit
  2014-06-20 16:48           ` Kees Cook
@ 2014-06-20 21:00             ` Daniel Borkmann
  0 siblings, 0 replies; 10+ messages in thread
From: Daniel Borkmann @ 2014-06-20 21:00 UTC (permalink / raw)
  To: Kees Cook
  Cc: Alexei Starovoitov, LKML, David S. Miller, Eric Dumazet,
	Chema Gonzalez, Network Development
On 06/20/2014 06:48 PM, Kees Cook wrote:
...
>> Are there any plans to put and extend test cases from [1] via user space
>> side into the kernel self-test directory, i.e. into something like
>> tools/testing/selftests/seccomp/ so that in future new tests can be added
>> or run from there? Might be worth to consider.
>
> Yeah, I have this on my TODO list, but we need to juggle relicensing
> the test suite (it is currently BSD, not GPLv2). I'll keep chasing
> this.
Sounds good, please keep us in the loop.
Thanks,
Daniel
^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-06-20 21:00 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-06-18 22:34 [PATCH] net: filter: fix upper BPF instruction limit Kees Cook
2014-06-18 22:43 ` Daniel Borkmann
2014-06-18 22:48 ` Alexei Starovoitov
2014-06-18 22:55   ` Kees Cook
2014-06-18 23:19     ` Alexei Starovoitov
2014-06-18 23:28       ` Kees Cook
2014-06-20 10:13         ` Daniel Borkmann
2014-06-20 16:48           ` Kees Cook
2014-06-20 21:00             ` Daniel Borkmann
2014-06-19  0:05 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).