Re: [PATCH] bpf: btf: Fix a missing check bug
From: valdis . kletnieks
Date: Mon Oct 08 2018 - 17:17:22 EST
On Mon, 08 Oct 2018 13:51:09 -0700, Song Liu said:
> On Sun, Oct 7, 2018 at 1:26 PM Wenwen Wang <wang6495@xxxxxxx> wrote:
> > same value. Given that the btf data is in the user space, a malicious user
> > can race to change the data between the two copies. By doing so, the user
> > can provide malicious data to the kernel and cause undefined behavior.
> These two numbers are copied from same memory location, right? So I
> think this check is not necessary?
Security researchers call this a TOCTOU bug - Time of Check - Time of Use.
What can happen:
1) We fetch the value (say we get 90) from userspace and stash it in hdr_len.
2) We do some other stuff like check the hdr_len isn't too big, etc..
meanwhile, on another CPU running another thread of the process...
3) malicious code stuffs a 117 into that field
4) We fetch the entire header, incliding a now-changed hdr_len (now 117) and
stick it in btf->hdr->hdr_len.
5) Any code that assumes that hdr_len and btf->hdr->hdr_len are the same value
explodes in interesting ways.
Attachment:
pgptxYyhhvkCC.pgp
Description: PGP signature