Hi.
First of all, I hope you are fine and the same for your relatives.
This contribution fixes a bug where the byte before the destination address can be reset when a page fault occurs in strncpy_from_kernel_nofault() while copying the first byte from the source address.
This bug leaded to kernel panic if a pointer containing the modified address is dereferenced as the pointer does not contain a correct addresss.
To fix this bug, we simply reset the current destination byte in a case of a page fault. The proposed fix was tested and validated inside a VM: root@vm-amd64:~# ./share/linux/tools/testing/selftests/bpf/test_progs --name varlen ... #222 varlen:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED Without the patch, the test will fail: root@vm-amd64:~# ./share/linux/tools/testing/selftests/bpf/test_progs --name varlen ... #222 varlen:FAIL Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
If you see any way to improve this contribution, feel free to share.
Alban Crequy (2): maccess: fix writing offset in case of fault in strncpy_from_kernel_nofault() selftests: bpf: add a test when bpf_probe_read_kernel_str() returns EFAULT
mm/maccess.c | 2 +- tools/testing/selftests/bpf/prog_tests/varlen.c | 7 +++++++ tools/testing/selftests/bpf/progs/test_varlen.c | 5 +++++ 3 files changed, 13 insertions(+), 1 deletion(-)
Best regards and thank you in advance. -- 2.25.1
From: Alban Crequy albancrequy@microsoft.com
If a page fault occurs while copying the first byte, this function resets one byte before dst. As a consequence, an address could be modified and leaded to kernel crashes if case the modified address was accessed later.
Signed-off-by: Alban Crequy albancrequy@microsoft.com Tested-by: Francis Laniel flaniel@linux.microsoft.com --- mm/maccess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/maccess.c b/mm/maccess.c index 5f4d240f67ec..074f6b086671 100644 --- a/mm/maccess.c +++ b/mm/maccess.c @@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count) return src - unsafe_addr; Efault: pagefault_enable(); - dst[-1] = '\0'; + dst[0] = '\0'; return -EFAULT; }
-- 2.25.1
On 11/8/22 11:52 AM, Francis Laniel wrote:
From: Alban Crequy albancrequy@microsoft.com
If a page fault occurs while copying the first byte, this function resets one byte before dst. As a consequence, an address could be modified and leaded to kernel crashes if case the modified address was accessed later.
Signed-off-by: Alban Crequy albancrequy@microsoft.com Tested-by: Francis Laniel flaniel@linux.microsoft.com
mm/maccess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/maccess.c b/mm/maccess.c index 5f4d240f67ec..074f6b086671 100644 --- a/mm/maccess.c +++ b/mm/maccess.c @@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count) return src - unsafe_addr; Efault: pagefault_enable();
- dst[-1] = '\0';
- dst[0] = '\0';
What if the fault is due to dst, so the above won't work, right?
The original code should work fine if the first byte copy is successful. For the first byte copy fault, maybe just to leave it as is?
return -EFAULT; }
-- 2.25.1
On 11/8/22 12:35 PM, Yonghong Song wrote:
On 11/8/22 11:52 AM, Francis Laniel wrote:
From: Alban Crequy albancrequy@microsoft.com
If a page fault occurs while copying the first byte, this function resets one byte before dst. As a consequence, an address could be modified and leaded to kernel crashes if case the modified address was accessed later.
Signed-off-by: Alban Crequy albancrequy@microsoft.com Tested-by: Francis Laniel flaniel@linux.microsoft.com
mm/maccess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/maccess.c b/mm/maccess.c index 5f4d240f67ec..074f6b086671 100644 --- a/mm/maccess.c +++ b/mm/maccess.c @@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count) return src - unsafe_addr; Efault: pagefault_enable(); - dst[-1] = '\0'; + dst[0] = '\0';
What if the fault is due to dst, so the above won't work, right?
The original code should work fine if the first byte copy is successful. For the first byte copy fault, maybe just to leave it as is?
Okay, the dst is always safe (from func signature), so change looks okay to me. Probably mm people can double check.
return -EFAULT; }
-- 2.25.1
On Tue, 8 Nov 2022 12:38:53 -0800 Yonghong Song yhs@meta.com wrote:
On 11/8/22 12:35 PM, Yonghong Song wrote:
On 11/8/22 11:52 AM, Francis Laniel wrote:
From: Alban Crequy albancrequy@microsoft.com
If a page fault occurs while copying the first byte, this function resets one byte before dst. As a consequence, an address could be modified and leaded to kernel crashes if case the modified address was accessed later.
Signed-off-by: Alban Crequy albancrequy@microsoft.com Tested-by: Francis Laniel flaniel@linux.microsoft.com
mm/maccess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/maccess.c b/mm/maccess.c index 5f4d240f67ec..074f6b086671 100644 --- a/mm/maccess.c +++ b/mm/maccess.c @@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count) return src - unsafe_addr; Efault: pagefault_enable(); - dst[-1] = '\0'; + dst[0] = '\0';
What if the fault is due to dst, so the above won't work, right?
The original code should work fine if the first byte copy is successful. For the first byte copy fault, maybe just to leave it as is?
Okay, the dst is always safe (from func signature), so change looks okay to me. Probably mm people can double check.
My understanding was that the bpf verifier is supposed to check that the dst pointer is safe. But I don't know where it is done, and I don't know how it can check that the dst buffer is big enough.
return -EFAULT; }
-- 2.25.1
On 11/9/22 3:23 AM, Alban Crequy wrote:
On Tue, 8 Nov 2022 12:38:53 -0800 Yonghong Song yhs@meta.com wrote:
On 11/8/22 12:35 PM, Yonghong Song wrote:
On 11/8/22 11:52 AM, Francis Laniel wrote:
From: Alban Crequy albancrequy@microsoft.com
If a page fault occurs while copying the first byte, this function resets one byte before dst. As a consequence, an address could be modified and leaded to kernel crashes if case the modified address was accessed later.
Signed-off-by: Alban Crequy albancrequy@microsoft.com Tested-by: Francis Laniel flaniel@linux.microsoft.com
mm/maccess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/maccess.c b/mm/maccess.c index 5f4d240f67ec..074f6b086671 100644 --- a/mm/maccess.c +++ b/mm/maccess.c @@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count) return src - unsafe_addr; Efault: pagefault_enable(); - dst[-1] = '\0'; + dst[0] = '\0';
What if the fault is due to dst, so the above won't work, right?
The original code should work fine if the first byte copy is successful. For the first byte copy fault, maybe just to leave it as is?
Okay, the dst is always safe (from func signature), so change looks okay to me. Probably mm people can double check.
My understanding was that the bpf verifier is supposed to check that the dst pointer is safe. But I don't know where it is done, and I don't know how it can check that the dst buffer is big enough.
Yes, the verifier ensures the buffer actually has the capacity for the buffer size. So we are fine here for 'dst' buffer.
return -EFAULT; }
-- 2.25.1
On Tue, 8 Nov 2022 20:52:06 +0100 Francis Laniel flaniel@linux.microsoft.com wrote:
From: Alban Crequy albancrequy@microsoft.com
If a page fault occurs while copying the first byte, this function resets one byte before dst. As a consequence, an address could be modified and leaded to kernel crashes if case the modified address was accessed later.
Signed-off-by: Alban Crequy albancrequy@microsoft.com Tested-by: Francis Laniel flaniel@linux.microsoft.com
Reviewed-by: Andrew Morton akpm@linux-foundation.org
Please merge via the bpf tree.
This looks potentially nasty. Fortunately only tracing code uses it, but I'm thinking it should have cc:stable and a Fixes:?
Hi.
Le mardi 8 novembre 2022, 22:05:51 CET Andrew Morton a écrit :
On Tue, 8 Nov 2022 20:52:06 +0100 Francis Laniel
flaniel@linux.microsoft.com wrote:
From: Alban Crequy albancrequy@microsoft.com
If a page fault occurs while copying the first byte, this function resets one byte before dst. As a consequence, an address could be modified and leaded to kernel crashes if case the modified address was accessed later.
Signed-off-by: Alban Crequy albancrequy@microsoft.com Tested-by: Francis Laniel flaniel@linux.microsoft.com
Reviewed-by: Andrew Morton akpm@linux-foundation.org
Please merge via the bpf tree.
This looks potentially nasty. Fortunately only tracing code uses it, but I'm thinking it should have cc:stable and a Fixes:?
Thank you for the review! Sorry, I thought to add stable list but forgot to add it when sending the series... I will sent a v2 with your review and without rfc tag to, among others, stable.
From: Alban Crequy albancrequy@microsoft.com
This commit tests previous fix of bpf_probe_read_kernel_str().
Signed-off-by: Alban Crequy albancrequy@microsoft.com Signed-off-by: Francis Laniel flaniel@linux.microsoft.com --- tools/testing/selftests/bpf/prog_tests/varlen.c | 7 +++++++ tools/testing/selftests/bpf/progs/test_varlen.c | 5 +++++ 2 files changed, 12 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/varlen.c b/tools/testing/selftests/bpf/prog_tests/varlen.c index dd324b4933db..4d7056f8f177 100644 --- a/tools/testing/selftests/bpf/prog_tests/varlen.c +++ b/tools/testing/selftests/bpf/prog_tests/varlen.c @@ -63,6 +63,13 @@ void test_varlen(void) CHECK_VAL(data->total4, size1 + size2); CHECK(memcmp(data->payload4, exp_str, size1 + size2), "content_check", "doesn't match!\n"); + + CHECK_VAL(bss->ret_bad_read, -EFAULT); + CHECK_VAL(data->payload_bad[0], 0x42); + CHECK_VAL(data->payload_bad[1], 0x42); + CHECK_VAL(data->payload_bad[2], 0); + CHECK_VAL(data->payload_bad[3], 0x42); + CHECK_VAL(data->payload_bad[4], 0x42); cleanup: test_varlen__destroy(skel); } diff --git a/tools/testing/selftests/bpf/progs/test_varlen.c b/tools/testing/selftests/bpf/progs/test_varlen.c index 3987ff174f1f..20eb7d422c41 100644 --- a/tools/testing/selftests/bpf/progs/test_varlen.c +++ b/tools/testing/selftests/bpf/progs/test_varlen.c @@ -19,6 +19,7 @@ __u64 payload1_len1 = 0; __u64 payload1_len2 = 0; __u64 total1 = 0; char payload1[MAX_LEN + MAX_LEN] = {}; +__u64 ret_bad_read = 0;
/* .data */ int payload2_len1 = -1; @@ -36,6 +37,8 @@ int payload4_len2 = -1; int total4= -1; char payload4[MAX_LEN + MAX_LEN] = { 1 };
+char payload_bad[5] = { 0x42, 0x42, 0x42, 0x42, 0x42 }; + SEC("raw_tp/sys_enter") int handler64_unsigned(void *regs) { @@ -61,6 +64,8 @@ int handler64_unsigned(void *regs)
total1 = payload - (void *)payload1;
+ ret_bad_read = bpf_probe_read_kernel_str(payload_bad + 2, 1, (void *) -1); + return 0; }
On 11/8/22 11:52 AM, Francis Laniel wrote:
From: Alban Crequy albancrequy@microsoft.com
This commit tests previous fix of bpf_probe_read_kernel_str().
Signed-off-by: Alban Crequy albancrequy@microsoft.com Signed-off-by: Francis Laniel flaniel@linux.microsoft.com
Acked-by: Yonghong Song yhs@fb.com
linux-kselftest-mirror@lists.linaro.org
-
Alban Crequy -
Andrew Morton -
Francis Laniel -
Yonghong Song