git.baikalelectronics.ru Git - kernel.git/commit

author	Daniel Borkmann <daniel@iogearbox.net>
	Tue, 7 Dec 2021 11:02:02 +0000 (11:02 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 22 Dec 2021 08:32:35 +0000 (09:32 +0100)
commit	ee82000b9842689f2a2f867b73c9a68ce2d75ca0
tree	2535725546f1888d39e4c274983121082666de6c	tree \| snapshot
parent	d2c6e9c1a89689a2403bfa6791623e9dc673eb16	commit \| diff

bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg

commit 180857e908137f937ff8697ed94207295ff350ba upstream.

The implementation of BPF_CMPXCHG on a high level has the following parameters:

  .-[old-val]                                          .-[new-val]
  BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG)
                          `-[mem-loc]          `-[old-val]

Given a BPF insn can only have two registers (dst, src), the R0 is fixed and
used as an auxilliary register for input (old value) as well as output (returning
old value from memory location). While the verifier performs a number of safety
checks, it misses to reject unprivileged programs where R0 contains a pointer as
old value.

Through brute-forcing it takes about ~16sec on my machine to leak a kernel pointer
with BPF_CMPXCHG. The PoC is basically probing for kernel addresses by storing the
guessed address into the map slot as a scalar, and using the map value pointer as
R0 while SRC_REG has a canary value to detect a matching address.

Fix it by checking R0 for pointers, and reject if that's the case for unprivileged
programs.

Fixes: 9926a86ca42f ("bpf: Add instructions for atomic_[cmp]xchg")
Reported-by: Ryota Shiga (Flatt Security)
Acked-by: Brendan Jackman <jackmanb@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>