Re: [PATCH] bpf: btf: Fix a missing check bug

From: valdis . kletnieks
Date: Mon Oct 08 2018 - 17:17:22 EST

Next message: Alex_Gagniuc: "Re: [PATCH 1/9] PCI: sysfs: Export available PCIe bandwidth"
Previous message: john . hubbard: "[PATCH v4 3/3] infiniband/mm: convert put_page() to put_user_page*()"
In reply to: Song Liu: "Re: [PATCH] bpf: btf: Fix a missing check bug"
Next in thread: Song Liu: "Re: [PATCH] bpf: btf: Fix a missing check bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 08 Oct 2018 13:51:09 -0700, Song Liu said:
> On Sun, Oct 7, 2018 at 1:26 PM Wenwen Wang <wang6495@xxxxxxx> wrote:

> > same value. Given that the btf data is in the user space, a malicious user
> > can race to change the data between the two copies. By doing so, the user
> > can provide malicious data to the kernel and cause undefined behavior.

> These two numbers are copied from same memory location, right? So I
> think this check is not necessary?

Security researchers call this a TOCTOU bug - Time of Check - Time of Use.

What can happen:

1) We fetch the value (say we get 90) from userspace and stash it in hdr_len.

2) We do some other stuff like check the hdr_len isn't too big, etc..

meanwhile, on another CPU running another thread of the process...
3) malicious code stuffs a 117 into that field

4) We fetch the entire header, incliding a now-changed hdr_len (now 117) and
stick it in btf->hdr->hdr_len.

5) Any code that assumes that hdr_len and btf->hdr->hdr_len are the same value
explodes in interesting ways.

Attachment: pgptxYyhhvkCC.pgp
Description: PGP signature

Next message: Alex_Gagniuc: "Re: [PATCH 1/9] PCI: sysfs: Export available PCIe bandwidth"
Previous message: john . hubbard: "[PATCH v4 3/3] infiniband/mm: convert put_page() to put_user_page*()"
In reply to: Song Liu: "Re: [PATCH] bpf: btf: Fix a missing check bug"
Next in thread: Song Liu: "Re: [PATCH] bpf: btf: Fix a missing check bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]