git.baikalelectronics.ru Git - kernel.git/commit

author	Martin Lau <kafai@fb.com>
	Wed, 24 Oct 2018 20:42:25 +0000 (20:42 +0000)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Thu, 25 Oct 2018 22:42:03 +0000 (00:42 +0200)
commit	df70be9bdc39c2ef5c8f659c2e5960a8ecfdd12b
tree	894c34812dfa0157c7ebc6e49be6d1b60c73d19c	tree \| snapshot
parent	de80718dd51512151bfe29f93ea56813eef3a587	commit \| diff

bpf, btf: fix a missing check bug in btf_parse

Wenwen Wang reported:

  In btf_parse(), the header of the user-space btf data 'btf_data'
  is firstly parsed and verified through btf_parse_hdr().
  In btf_parse_hdr(), the header is copied from user-space 'btf_data'
  to kernel-space 'btf->hdr' and then verified. If no error happens
  during the verification process, the whole data of 'btf_data',
  including the header, is then copied to 'data' in btf_parse(). It
  is obvious that the header is copied twice here. More importantly,
  no check is enforced after the second copy to make sure the headers
  obtained in these two copies are same. Given that 'btf_data' resides
  in the user space, a malicious user can race to modify the header
  between these two copies. By doing so, the user can inject
  inconsistent data, which can cause undefined behavior of the
  kernel and introduce potential security risk.

This issue is similar to the one fixed in commit 84c677afbf93 ("bpf:
btf: Fix a missing check bug"). To fix it, this patch copies the user
'btf_data' *before* parsing / verifying the BTF header.

Fixes: af3cbd4c20fa ("bpf: btf: Introduce BPF Type Format (BTF)")
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Co-developed-by: Wenwen Wang <wang6495@umn.edu>
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>