From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Martin KaFai Lau <kafai@fb.com>,
Edward Cree <ecree@solarflare.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 08/57] bpf: prevent leaking pointer via xadd on unpriviledged
Date: Wed, 19 Jul 2017 13:12:14 +0200 [thread overview]
Message-ID: <20170719111250.315950350@linuxfoundation.org> (raw)
In-Reply-To: <20170719111249.973558472@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
commit 6bdf6abc56b53103324dfd270a86580306e1a232 upstream.
Leaking kernel addresses on unpriviledged is generally disallowed,
for example, verifier rejects the following:
0: (b7) r0 = 0
1: (18) r2 = 0xffff897e82304400
3: (7b) *(u64 *)(r1 +48) = r2
R2 leaks addr into ctx
Doing pointer arithmetic on them is also forbidden, so that they
don't turn into unknown value and then get leaked out. However,
there's xadd as a special case, where we don't check the src reg
for being a pointer register, e.g. the following will pass:
0: (b7) r0 = 0
1: (7b) *(u64 *)(r1 +48) = r0
2: (18) r2 = 0xffff897e82304400 ; map
4: (db) lock *(u64 *)(r1 +48) += r2
5: (95) exit
We could store the pointer into skb->cb, loose the type context,
and then read it out from there again to leak it eventually out
of a map value. Or more easily in a different variant, too:
0: (bf) r6 = r1
1: (7a) *(u64 *)(r10 -8) = 0
2: (bf) r2 = r10
3: (07) r2 += -8
4: (18) r1 = 0x0
6: (85) call bpf_map_lookup_elem#1
7: (15) if r0 == 0x0 goto pc+3
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R6=ctx R10=fp
8: (b7) r3 = 0
9: (7b) *(u64 *)(r0 +0) = r3
10: (db) lock *(u64 *)(r0 +0) += r6
11: (b7) r0 = 0
12: (95) exit
from 7 to 11: R0=inv,min_value=0,max_value=0 R6=ctx R10=fp
11: (b7) r0 = 0
12: (95) exit
Prevent this by checking xadd src reg for pointer types. Also
add a couple of test cases related to this.
Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -754,6 +754,11 @@ static int check_xadd(struct verifier_en
if (err)
return err;
+ if (is_pointer_value(env, insn->src_reg)) {
+ verbose("R%d leaks addr into mem\n", insn->src_reg);
+ return -EACCES;
+ }
+
/* check whether atomic_add can read the memory */
err = check_mem_access(env, insn->dst_reg, insn->off,
BPF_SIZE(insn->code), BPF_READ, -1);
next prev parent reply other threads:[~2017-07-19 11:13 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-19 11:12 [PATCH 4.4 00/57] 4.4.78-stable review Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 01/57] net_sched: fix error recovery at qdisc creation Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 02/57] net: sched: Fix one possible panic when no destroy callback Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 03/57] net/phy: micrel: configure intterupts after autoneg workaround Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 04/57] ipv6: avoid unregistering inet6_dev for loopback Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 05/57] net: dp83640: Avoid NULL pointer dereference Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 06/57] tcp: reset sk_rx_dst in tcp_disconnect() Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 07/57] net: prevent sign extension in dev_get_stats() Greg Kroah-Hartman
2017-07-19 11:12 ` Greg Kroah-Hartman [this message]
2017-07-19 11:12 ` [PATCH 4.4 10/57] ipv6: dad: dont remove dynamic addresses if link is down Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 12/57] vrf: fix bug_on triggered by rx when destroying a vrf Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 13/57] rds: tcp: use sock_create_lite() to create the accept socket Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 15/57] cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 16/57] cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 17/57] cfg80211: Check if PMKID attribute is of expected size Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 18/57] irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 19/57] parisc: Report SIGSEGV instead of SIGBUS when running out of stack Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 20/57] parisc: use compat_sys_keyctl() Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 21/57] parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 22/57] parisc/mm: Ensure IRQs are off in switch_mm() Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 23/57] tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 24/57] kernel/extable.c: mark core_kernel_text notrace Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 25/57] mm/list_lru.c: fix list_lru_count_node() to be race free Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 26/57] fs/dcache.c: fix spin lockup issue on nlru->lock Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 27/57] checkpatch: silence perl 5.26.0 unescaped left brace warnings Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 28/57] binfmt_elf: use ELF_ET_DYN_BASE only for PIE Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 29/57] arm: move ELF_ET_DYN_BASE to 4MB Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 30/57] arm64: move ELF_ET_DYN_BASE to 4GB / 4MB Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 31/57] powerpc: " Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 32/57] s390: reduce ELF_ET_DYN_BASE Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 33/57] exec: Limit arg stack to at most 75% of _STK_LIM Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 34/57] vt: fix unchecked __put_user() in tioclinux ioctls Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 35/57] mnt: In umount propagation reparent in a separate pass Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 36/57] mnt: In propgate_umount handle visiting mounts in any order Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 37/57] mnt: Make propagate_umount less slow for overlapping mount propagation trees Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 38/57] selftests/capabilities: Fix the test_execve test Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 39/57] tpm: Get rid of chip->pdev Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 40/57] tpm: Provide strong locking for device removal Greg Kroah-Hartman
2017-07-25 22:56 ` Ben Hutchings
2017-07-26 19:56 ` Greg Kroah-Hartman
2017-07-26 20:03 ` Jason Gunthorpe
2017-07-28 22:42 ` Greg Kroah-Hartman
2017-07-31 22:22 ` Jarkko Sakkinen
2017-08-04 19:59 ` Greg Kroah-Hartman
2017-08-04 21:44 ` Greg Kroah-Hartman
2017-08-06 12:47 ` Jarkko Sakkinen
2017-08-08 21:05 ` Jarkko Sakkinen
2017-08-08 21:14 ` Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 41/57] Add "shutdown" to "struct class" Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 42/57] tpm: Issue a TPM2_Shutdown for TPM2 devices Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 45/57] crypto: atmel - only treat EBUSY as transient if backlog Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 46/57] crypto: sha1-ssse3 - Disable avx2 Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 48/57] sched/topology: Fix overlapping sched_group_mask Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 49/57] sched/topology: Optimize build_group_mask() Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 50/57] PM / wakeirq: Convert to SRCU Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 51/57] PM / QoS: return -EINVAL for bogus strings Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 52/57] tracing: Use SOFTIRQ_OFFSET for softirq dectection for more accurate results Greg Kroah-Hartman
2017-07-19 11:12 ` [PATCH 4.4 53/57] KVM: x86: disable MPX if host did not enable MPX XSAVE features Greg Kroah-Hartman
2017-07-19 11:13 ` [PATCH 4.4 57/57] kvm: vmx: allow host to access guest MSR_IA32_BNDCFGS Greg Kroah-Hartman
2017-07-19 20:33 ` [PATCH 4.4 00/57] 4.4.78-stable review Guenter Roeck
2017-07-19 23:39 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170719111250.315950350@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=ecree@solarflare.com \
--cc=kafai@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).