Message ID | 20200723060908.50081-4-hch@lst.de (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [01/26] bpfilter: fix up a sparse annotation | expand |
From: Christoph Hellwig > Sent: 23 July 2020 07:09 > > The bpfilter user mode helper processes the optval address using > process_vm_readv. Don't send it kernel addresses fed under > set_fs(KERNEL_DS) as that won't work. What sort of operations is the bpf filter doing on the sockopt buffers? Any attempts to reject some requests can be thwarted by a second application thread modifying the buffer after the bpf filter has checked that it allowed. You can't do security by reading a user buffer twice. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
On Thu, Jul 23, 2020 at 02:42:11PM +0000, David Laight wrote: > From: Christoph Hellwig > > Sent: 23 July 2020 07:09 > > > > The bpfilter user mode helper processes the optval address using > > process_vm_readv. Don't send it kernel addresses fed under > > set_fs(KERNEL_DS) as that won't work. > > What sort of operations is the bpf filter doing on the sockopt buffers? > > Any attempts to reject some requests can be thwarted by a second > application thread modifying the buffer after the bpf filter has > checked that it allowed. > > You can't do security by reading a user buffer twice. I'm not saying that I approve of the design, but the current bpfilter design uses process_vm_readv to access the buffer, which obviously does not work with kernel buffers.
From: 'Christoph Hellwig' > Sent: 23 July 2020 15:45 > > On Thu, Jul 23, 2020 at 02:42:11PM +0000, David Laight wrote: > > From: Christoph Hellwig > > > Sent: 23 July 2020 07:09 > > > > > > The bpfilter user mode helper processes the optval address using > > > process_vm_readv. Don't send it kernel addresses fed under > > > set_fs(KERNEL_DS) as that won't work. > > > > What sort of operations is the bpf filter doing on the sockopt buffers? > > > > Any attempts to reject some requests can be thwarted by a second > > application thread modifying the buffer after the bpf filter has > > checked that it allowed. > > > > You can't do security by reading a user buffer twice. > > I'm not saying that I approve of the design, but the current bpfilter > design uses process_vm_readv to access the buffer, which obviously does > not work with kernel buffers. Is this a different bit of bpf that that which used to directly intercept setsockopt() requests and pass them down from a kernel buffer? I can't held feeling that bpf is getting 'too big for its boots' and will have a local-user privilege escalation hiding in it somewhere. I've had to fix my 'out of tree' driver to remove the [sg]etsockopt() calls. Some of the replacements will go badly wrong if I've accidentally lost track of the socket type. I do have a daemon process sleeping in the driver - so I can wake it up and make the requests from it with a user buffer. I may have to implement that to get the negotiated number of 'ostreams' to an SCTP connection. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
diff --git a/net/bpfilter/bpfilter_kern.c b/net/bpfilter/bpfilter_kern.c index 78d561f2c54da7..00540457e5f4d3 100644 --- a/net/bpfilter/bpfilter_kern.c +++ b/net/bpfilter/bpfilter_kern.c @@ -70,6 +70,10 @@ static int bpfilter_process_sockopt(struct sock *sk, int optname, .addr = (uintptr_t)optval, .len = optlen, }; + if (uaccess_kernel()) { + pr_err("kernel access not supported\n"); + return -EFAULT; + } return bpfilter_send_req(&req); }
The bpfilter user mode helper processes the optval address using process_vm_readv. Don't send it kernel addresses fed under set_fs(KERNEL_DS) as that won't work. Signed-off-by: Christoph Hellwig <hch@lst.de> --- net/bpfilter/bpfilter_kern.c | 4 ++++ 1 file changed, 4 insertions(+)