[2/2] bpf: cgroup: Fix problematic bounds check

Message ID	20210122164232.61770-2-loris.reiff@liblor.ch (mailing list archive)
State	Accepted
Commit	f4a2da755a7e1f5d845c52aee71336cee289935a
Delegated to:	BPF
Headers	show Return-Path: <bpf-owner@kernel.org> From: Loris Reiff <loris.reiff@liblor.ch> To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com, Loris Reiff <loris.reiff@liblor.ch> Subject: [PATCH 2/2] bpf: cgroup: Fix problematic bounds check Date: Fri, 22 Jan 2021 17:42:32 +0100 Message-Id: <20210122164232.61770-2-loris.reiff@liblor.ch> In-Reply-To: <20210122164232.61770-1-loris.reiff@liblor.ch> References: <20210122164232.61770-1-loris.reiff@liblor.ch> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[1/2] bpf: cgroup: Fix optlen WARN_ON_ONCE toctou \| expand [1/2] bpf: cgroup: Fix optlen WARN_ON_ONCE toctou [2/2] bpf: cgroup: Fix problematic bounds check

Message ID

20210122164232.61770-2-loris.reiff@liblor.ch (mailing list archive)

State

Accepted

Commit

f4a2da755a7e1f5d845c52aee71336cee289935a

Delegated to:

BPF

Headers

show

Return-Path: <bpf-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2DD45C433E0
	for <bpf@archiver.kernel.org>; Fri, 22 Jan 2021 16:51:22 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id EFF9A23A9A
	for <bpf@archiver.kernel.org>; Fri, 22 Jan 2021 16:51:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729577AbhAVQuL (ORCPT <rfc822;bpf@archiver.kernel.org>);
        Fri, 22 Jan 2021 11:50:11 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52856 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729390AbhAVQnq (ORCPT <rfc822;bpf@vger.kernel.org>);
        Fri, 22 Jan 2021 11:43:46 -0500
Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org
 [IPv6:2001:67c:2050::465:102])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA3D6C061797;
        Fri, 22 Jan 2021 08:43:09 -0800 (PST)
Received: from smtp2.mailbox.org (smtp2.mailbox.org
 [IPv6:2001:67c:2050:105:465:1:2:0])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)
 server-digest SHA256)
        (No client certificate requested)
        by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4DMlSB6qB8zQlYw;
        Fri, 22 Jan 2021 17:43:06 +0100 (CET)
Authentication-Results: gerste.heinlein-support.de (amavisd-new);
        dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
        header.d=mailbox.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailbox.org; h=
        content-transfer-encoding:mime-version:references:in-reply-to
        :message-id:date:date:subject:subject:from:from:received; s=
        mail20150812; t=1611333783; bh=EXY5UBekWmdLcrCcU6mcp7T2dzDQIdcDp
        LiEPkUlz70=; b=tS/5HHjEMv9zxzMEvWCn4JcH1ftjmJL+vAZNfkrBkP3DhjYGt
        Oj7S8pKnGBt6I6l8GAcKc3txaW/vhylwDnSYvUYHQjxFkIfgK1+gOvrgPAJZBtK5
        i4rRBbXh2I5PpAQ6a8mU4Moc1AsMBgwAh0DfniazS7tgeQJzxKlUy18Bj5WEY9GP
        8WiCcJJst3Zwkis5esmfbYJ61QbfaShuyTu/VKYr9GhZYe+crSCSIZe9Lh1e8Q6c
        664/metpOM9xksdq2Whwp5rjHBsnxhrNUSqNiCdRsFDzR3q3jdMpVKqqocYH+U7Z
        gYEDFb5nVUDXqSfo9w/pD3r43/AF3gZtMOkXQ==
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp2.mailbox.org ([80.241.60.241])
        by gerste.heinlein-support.de (gerste.heinlein-support.de
 [91.198.250.173]) (amavisd-new, port 10030)
        with ESMTP id KqCf4o-Nc0xX; Fri, 22 Jan 2021 17:43:03 +0100 (CET)
From: Loris Reiff <loris.reiff@liblor.ch>
To: bpf@vger.kernel.org
Cc: netdev@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net,
        andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com,
        john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com,
        Loris Reiff <loris.reiff@liblor.ch>
Subject: [PATCH 2/2] bpf: cgroup: Fix problematic bounds check
Date: Fri, 22 Jan 2021 17:42:32 +0100
Message-Id: <20210122164232.61770-2-loris.reiff@liblor.ch>
In-Reply-To: <20210122164232.61770-1-loris.reiff@liblor.ch>
References: <20210122164232.61770-1-loris.reiff@liblor.ch>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MBO-SPAM-Probability: **
X-Rspamd-Score: 1.80 / 15.00 / 15.00
X-Rspamd-Queue-Id: DFC9117BA
X-Rspamd-UID: 65af45
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org
X-Patchwork-Delegate: bpf@iogearbox.net

Series

[1/2] bpf: cgroup: Fix optlen WARN_ON_ONCE toctou | expand

Context	Check	Description
netdev/tree_selection	success	Not a local patch

Context

Check

Description

netdev/tree_selection

success

Not a local patch

Commit Message

Loris Reiff Jan. 22, 2021, 4:42 p.m. UTC

Since ctx.optlen is signed, a larger value than max_value could be
passed, as it is later on used as unsigned, which causes a WARN_ON_ONCE
in the copy_to_user.

Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
Signed-off-by: Loris Reiff <loris.reiff@liblor.ch>
---
 kernel/bpf/cgroup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stanislav Fomichev Jan. 22, 2021, 5:04 p.m. UTC | #1

On Fri, Jan 22, 2021 at 8:43 AM Loris Reiff <loris.reiff@liblor.ch> wrote:
>
> Since ctx.optlen is signed, a larger value than max_value could be
> passed, as it is later on used as unsigned, which causes a WARN_ON_ONCE
> in the copy_to_user.
>
> Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
> Signed-off-by: Loris Reiff <loris.reiff@liblor.ch>
> ---
>  kernel/bpf/cgroup.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index 6ec8f02f4..6aa9e10c6 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
> @@ -1464,7 +1464,7 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
>                 goto out;
>         }
>
> -       if (ctx.optlen > max_optlen) {
> +       if (ctx.optlen > max_optlen || ctx.optlen < 0) {
>                 ret = -EFAULT;
>                 goto out;
>         }
> --
> 2.29.2
Thanks! I assume this is only an issue if the BPF program is written
incorrectly.

Reviewed-by: Stanislav Fomichev <sdf@google.com>

Loris Reiff Jan. 22, 2021, 5:10 p.m. UTC | #2

Excerpts from Stanislav Fomichev's message of January 22, 2021 18:04:
> Thanks! I assume this is only an issue if the BPF program is written
> incorrectly.

Yes exactly.

diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 6ec8f02f4..6aa9e10c6 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1464,7 +1464,7 @@  int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
 		goto out;
 	}
 
-	if (ctx.optlen > max_optlen) {
+	if (ctx.optlen > max_optlen || ctx.optlen < 0) {
 		ret = -EFAULT;
 		goto out;
 	}

[2/2] bpf: cgroup: Fix problematic bounds check

Checks

Commit Message

Comments

Patch