https://github.com/torvalds/linux
Revision fbca9d2d35c6ef1b323fae75cc9545005ba25097 authored by Daniel Borkmann on 30 November 2015, 12:02:56 UTC, committed by David S. Miller on 02 December 2015, 02:56:17 UTC
During own review but also reported by Dmitry's syzkaller [1] it has been noticed that we trigger a heap out-of-bounds access on eBPF array maps when updating elements. This happens with each map whose map->value_size (specified during map creation time) is not multiple of 8 bytes. In array_map_alloc(), elem_size is round_up(attr->value_size, 8) and used to align array map slots for faster access. However, in function array_map_update_elem(), we update the element as ... memcpy(array->value + array->elem_size * index, value, array->elem_size); ... where we access 'value' out-of-bounds, since it was allocated from map_update_elem() from syscall side as kmalloc(map->value_size, GFP_USER) and later on copied through copy_from_user(value, uvalue, map->value_size). Thus, up to 7 bytes, we can access out-of-bounds. Same could happen from within an eBPF program, where in worst case we access beyond an eBPF program's designated stack. Since 1be7f75d1668 ("bpf: enable non-root eBPF programs") didn't hit an official release yet, it only affects priviledged users. In case of array_map_lookup_elem(), the verifier prevents eBPF programs from accessing beyond map->value_size through check_map_access(). Also from syscall side map_lookup_elem() only copies map->value_size back to user, so nothing could leak. [1] http://github.com/google/syzkaller Fixes: 28fbcfa08d8e ("bpf: add array type of eBPF maps") Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent ceb5d58
Tip revision: fbca9d2d35c6ef1b323fae75cc9545005ba25097 authored by Daniel Borkmann on 30 November 2015, 12:02:56 UTC
bpf, array: fix heap out-of-bounds access when updating elements
bpf, array: fix heap out-of-bounds access when updating elements
Tip revision: fbca9d2
File | Mode | Size |
---|---|---|
Documentation | ||
arch | ||
block | ||
certs | ||
crypto | ||
drivers | ||
firmware | ||
fs | ||
include | ||
init | ||
ipc | ||
kernel | ||
lib | ||
mm | ||
net | ||
samples | ||
scripts | ||
security | ||
sound | ||
tools | ||
usr | ||
virt | ||
.get_maintainer.ignore | -rw-r--r-- | 31 bytes |
.gitignore | -rw-r--r-- | 1.2 KB |
.mailmap | -rw-r--r-- | 5.4 KB |
COPYING | -rw-r--r-- | 18.3 KB |
CREDITS | -rw-r--r-- | 94.9 KB |
Kbuild | -rw-r--r-- | 2.6 KB |
Kconfig | -rw-r--r-- | 252 bytes |
MAINTAINERS | -rw-r--r-- | 327.8 KB |
Makefile | -rw-r--r-- | 53.5 KB |
README | -rw-r--r-- | 18.2 KB |
REPORTING-BUGS | -rw-r--r-- | 7.3 KB |
Computing file changes ...