From patchwork Thu Nov 10 08:56:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alban Crequy X-Patchwork-Id: 13038474 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC550C4332F for ; Thu, 10 Nov 2022 08:56:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229447AbiKJI4q (ORCPT ); Thu, 10 Nov 2022 03:56:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229667AbiKJI4n (ORCPT ); Thu, 10 Nov 2022 03:56:43 -0500 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id EEA5A40912; Thu, 10 Nov 2022 00:56:42 -0800 (PST) Received: from neptune.. (ip5f592f1a.dynamic.kabel-deutschland.de [95.89.47.26]) by linux.microsoft.com (Postfix) with ESMTPSA id 5F1F520E67BB; Thu, 10 Nov 2022 00:56:38 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 5F1F520E67BB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1668070602; bh=GmmcWRHXej2dQfvPtFxEWyzjKiiDadj2sFvtiycrCxE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ReyQjGm7vcTT5+EjufyZiuYxT3zEfu/hTGvQWVZ92UX8yY08quVAEEli7XHPUthHf oApL7sM0Xh/X4wP2quDfqW+lqR5FS6mamP608xvZ2/8K6VR2A289QbxueA23eoZPjZ RvasQusIguP7/J6k4RoRicSk4O9IuZAGqMhnBRqA= From: Alban Crequy To: bpf@vger.kernel.org Cc: stable@vger.kernel.org, albancrequy@linux.microsoft.com, flaniel@linux.microsoft.com, akpm@linux-foundation.org, andrii@kernel.org, ast@kernel.org, daniel@iogearbox.net, haoluo@google.com, john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, martin.lau@linux.dev, mykolal@fb.com, sdf@google.com, shuah@kernel.org, song@kernel.org, yhs@fb.com Subject: [PATCH bpf v2 1/2] maccess: fix writing offset in case of fault in strncpy_from_kernel_nofault() Date: Thu, 10 Nov 2022 09:56:13 +0100 Message-Id: <20221110085614.111213-2-albancrequy@linux.microsoft.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20221110085614.111213-1-albancrequy@linux.microsoft.com> References: <20221110085614.111213-1-albancrequy@linux.microsoft.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org If a page fault occurs while copying the first byte, this function resets one byte before dst. As a consequence, an address could be modified and leaded to kernel crashes if case the modified address was accessed later. Fixes: b58294ead14c ("maccess: allow architectures to provide kernel probing directly") Cc: [5.8] Signed-off-by: Alban Crequy Tested-by: Francis Laniel Reviewed-by: Andrew Morton --- Changes v1 to v2: - add 'cc:stable', 'Fixes:' and review tag - fix my email - rebase on bpf tree and tag for bpf tree --- mm/maccess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/maccess.c b/mm/maccess.c index 5f4d240f67ec..074f6b086671 100644 --- a/mm/maccess.c +++ b/mm/maccess.c @@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count) return src - unsafe_addr; Efault: pagefault_enable(); - dst[-1] = '\0'; + dst[0] = '\0'; return -EFAULT; } From patchwork Thu Nov 10 08:56:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alban Crequy X-Patchwork-Id: 13038475 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83132C4332F for ; Thu, 10 Nov 2022 08:56:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229657AbiKJI4v (ORCPT ); Thu, 10 Nov 2022 03:56:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229595AbiKJI4t (ORCPT ); Thu, 10 Nov 2022 03:56:49 -0500 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BC76A43875; Thu, 10 Nov 2022 00:56:48 -0800 (PST) Received: from neptune.. (ip5f592f1a.dynamic.kabel-deutschland.de [95.89.47.26]) by linux.microsoft.com (Postfix) with ESMTPSA id 2A82320B9F82; Thu, 10 Nov 2022 00:56:43 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 2A82320B9F82 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1668070608; bh=szRQl4NOiVgJGz/y76Fur+iBXK/NfJEkjgmsWKFSiWU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nrXGpymqs4ouMJ0nRcC5r7dkMpIZK+4Vz2xiNtVc4FvCc7uU66XPckJEsAR2L2gbT yOKfI4o9Xz79KBhBz/hvhHlC9uWmr0uTEOYmUBnaCJeYif1Z/aH4DsEWIcHdsQxH5Y tqaUGVL0KodUOZn1Q4EI5XbphCHbF/q61DfvyENo= From: Alban Crequy To: bpf@vger.kernel.org Cc: stable@vger.kernel.org, albancrequy@linux.microsoft.com, flaniel@linux.microsoft.com, akpm@linux-foundation.org, andrii@kernel.org, ast@kernel.org, daniel@iogearbox.net, haoluo@google.com, john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, martin.lau@linux.dev, mykolal@fb.com, sdf@google.com, shuah@kernel.org, song@kernel.org, yhs@fb.com Subject: [PATCH bpf v2 2/2] selftests: bpf: add a test when bpf_probe_read_kernel_str() returns EFAULT Date: Thu, 10 Nov 2022 09:56:14 +0100 Message-Id: <20221110085614.111213-3-albancrequy@linux.microsoft.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20221110085614.111213-1-albancrequy@linux.microsoft.com> References: <20221110085614.111213-1-albancrequy@linux.microsoft.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org This commit tests previous fix of bpf_probe_read_kernel_str(). The BPF helper bpf_probe_read_kernel_str should return -EFAULT when given a bad source pointer and the target buffer should only be modified to make the string NULL terminated. bpf_probe_read_kernel_str() was previously inserting a NULL before the beginning of the dst buffer. This test should ensure that the implementation stays correct for now on. Without the fix, this test will fail as follows: $ cd tools/testing/selftests/bpf $ make $ sudo ./test_progs --name=varlen ... test_varlen:FAIL:check got 0 != exp 66 Signed-off-by: Alban Crequy Signed-off-by: Francis Laniel Acked-by: Yonghong Song Changes v1 to v2: - add ack tag - fix my email - rebase on bpf tree and tag for bpf tree --- tools/testing/selftests/bpf/prog_tests/varlen.c | 7 +++++++ tools/testing/selftests/bpf/progs/test_varlen.c | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/tools/testing/selftests/bpf/prog_tests/varlen.c b/tools/testing/selftests/bpf/prog_tests/varlen.c index dd324b4933db..4d7056f8f177 100644 --- a/tools/testing/selftests/bpf/prog_tests/varlen.c +++ b/tools/testing/selftests/bpf/prog_tests/varlen.c @@ -63,6 +63,13 @@ void test_varlen(void) CHECK_VAL(data->total4, size1 + size2); CHECK(memcmp(data->payload4, exp_str, size1 + size2), "content_check", "doesn't match!\n"); + + CHECK_VAL(bss->ret_bad_read, -EFAULT); + CHECK_VAL(data->payload_bad[0], 0x42); + CHECK_VAL(data->payload_bad[1], 0x42); + CHECK_VAL(data->payload_bad[2], 0); + CHECK_VAL(data->payload_bad[3], 0x42); + CHECK_VAL(data->payload_bad[4], 0x42); cleanup: test_varlen__destroy(skel); } diff --git a/tools/testing/selftests/bpf/progs/test_varlen.c b/tools/testing/selftests/bpf/progs/test_varlen.c index 3987ff174f1f..20eb7d422c41 100644 --- a/tools/testing/selftests/bpf/progs/test_varlen.c +++ b/tools/testing/selftests/bpf/progs/test_varlen.c @@ -19,6 +19,7 @@ __u64 payload1_len1 = 0; __u64 payload1_len2 = 0; __u64 total1 = 0; char payload1[MAX_LEN + MAX_LEN] = {}; +__u64 ret_bad_read = 0; /* .data */ int payload2_len1 = -1; @@ -36,6 +37,8 @@ int payload4_len2 = -1; int total4= -1; char payload4[MAX_LEN + MAX_LEN] = { 1 }; +char payload_bad[5] = { 0x42, 0x42, 0x42, 0x42, 0x42 }; + SEC("raw_tp/sys_enter") int handler64_unsigned(void *regs) { @@ -61,6 +64,8 @@ int handler64_unsigned(void *regs) total1 = payload - (void *)payload1; + ret_bad_read = bpf_probe_read_kernel_str(payload_bad + 2, 1, (void *) -1); + return 0; }