From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Daniel Borkmann <daniel@iogearbox.net>,
Stanislav Fomichev <sdf@google.com>,
Eric Dumazet <edumazet@google.com>
Subject: Re: [PATCH 5.4 29/33] net, sctp, filter: remap copy_from_user failure error
Date: Sat, 23 Jan 2021 15:57:15 +0100 [thread overview]
Message-ID: <YAw5S2rysk/PnwRS@kroah.com> (raw)
In-Reply-To: <20210122165545.GJ3863@horizon.localdomain>
On Fri, Jan 22, 2021 at 01:55:45PM -0300, Marcelo Ricardo Leitner wrote:
> On Fri, Jan 22, 2021 at 03:12:45PM +0100, Greg Kroah-Hartman wrote:
> > From: Daniel Borkmann <daniel@iogearbox.net>
> >
> > [ no upstream commit ]
> >
> > Fix a potential kernel address leakage for the prerequisite where there is
> > a BPF program attached to the cgroup/setsockopt hook. The latter can only
> > be attached under root, however, if the attached program returns 1 to then
> > run the related kernel handler, an unprivileged program could probe for
> > kernel addresses that way. The reason this is possible is that we're under
> > set_fs(KERNEL_DS) when running the kernel setsockopt handler. Aside from
> > old cBPF there is also SCTP's struct sctp_getaddrs_old which contains
> > pointers in the uapi struct that further need copy_from_user() inside the
> > handler. In the normal case this would just return -EFAULT, but under a
> > temporary KERNEL_DS setting the memory would be copied and we'd end up at
> > a different error code, that is, -EINVAL, for both cases given subsequent
> > validations fail, which then allows the app to distinguish and make use of
> > this fact for probing the address space. In case of later kernel versions
> > this issue won't work anymore thanks to Christoph Hellwig's work that got
> > rid of the various temporary set_fs() address space overrides altogether.
> > One potential option for 5.4 as the only affected stable kernel with the
> > least complexity would be to remap those affected -EFAULT copy_from_user()
> > error codes with -EINVAL such that they cannot be probed anymore. Risk of
> > breakage should be rather low for this particular error case.
> >
> > Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
> > Reported-by: Ryota Shiga (Flatt Security)
> > Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> > Cc: Stanislav Fomichev <sdf@google.com>
> > Cc: Eric Dumazet <edumazet@google.com>
> > Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> For sctp bits,
> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Thanks for the review!
next prev parent reply other threads:[~2021-01-23 14:58 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-22 14:12 [PATCH 5.4 00/33] 5.4.92-rc1 review Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 01/33] usb: ohci: Make distrust_firmware param default to false Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 02/33] compiler.h: Raise minimum version of GCC to 5.1 for arm64 Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 03/33] xen/privcmd: allow fetching resource sizes Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 04/33] elfcore: fix building with clang Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 05/33] scsi: lpfc: Make function lpfc_defer_pt2pt_acc static Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 06/33] scsi: lpfc: Make lpfc_defer_acc_rsp static Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 07/33] spi: npcm-fiu: simplify the return expression of npcm_fiu_probe() Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 08/33] spi: npcm-fiu: Disable clock in probe error path Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 09/33] nfsd4: readdirplus shouldnt return parent of export Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 10/33] bpf: Dont leak memory in bpf getsockopt when optlen == 0 Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 11/33] bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 12/33] udp: Prevent reuseport_select_sock from reading uninitialized socks Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 13/33] netxen_nic: fix MSI/MSI-x interrupts Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 14/33] net: introduce skb_list_walk_safe for skb segment walking Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 15/33] net: skbuff: disambiguate argument and member for skb_list_walk_safe helper Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 16/33] net: ipv6: Validate GSO SKB before finish IPv6 processing Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 17/33] mlxsw: core: Add validation of transceiver temperature thresholds Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 18/33] mlxsw: core: Increase critical threshold for ASIC thermal zone Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 19/33] net: mvpp2: Remove Pause and Asym_Pause support Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 20/33] rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 21/33] esp: avoid unneeded kmap_atomic call Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 22/33] net: dcb: Validate netlink message in DCB handler Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 23/33] net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 24/33] rxrpc: Call state should be read with READ_ONCE() under some circumstances Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 25/33] net: stmmac: Fixed mtu channged by cache aligned Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 26/33] net: sit: unregister_netdevice on newlinks error path Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 27/33] net: avoid 32 x truesize under-estimation for tiny skbs Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 28/33] rxrpc: Fix handling of an unsupported token type in rxrpc_read() Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 29/33] net, sctp, filter: remap copy_from_user failure error Greg Kroah-Hartman
2021-01-22 16:55 ` Marcelo Ricardo Leitner
2021-01-23 14:57 ` Greg Kroah-Hartman [this message]
2021-01-22 14:12 ` [PATCH 5.4 30/33] tipc: fix NULL deref in tipc_link_xmit() Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 31/33] mac80211: do not drop tx nulldata packets on encrypted links Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 32/33] mac80211: check if atf has been disabled in __ieee80211_schedule_txq Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 5.4 33/33] spi: cadence: cache reference clock rate during probe Greg Kroah-Hartman
2021-01-23 0:24 ` [PATCH 5.4 00/33] 5.4.92-rc1 review Shuah Khan
2021-01-23 5:57 ` Naresh Kamboju
2021-01-23 7:20 ` Naresh Kamboju
2021-01-23 9:59 ` Jon Hunter
2021-01-23 14:35 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YAw5S2rysk/PnwRS@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=daniel@iogearbox.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=sdf@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).