[PATCH 5.4 08/65] bpf, cgroup: Fix optlen WARN_ON_ONCE toctou

8 Feb 2021

From: Loris Reiff loris.reiff@liblor.ch
[ Upstream commit bb8b81e396f7afbe7c50d789e2107512274d2a35 ]
A toctou issue in `__cgroup_bpf_run_filter_getsockopt` can trigger a
WARN_ON_ONCE in a check of `copy_from_user`.
`*optlen` is checked to be non-negative in the individual getsockopt
functions beforehand. Changing `*optlen` in a race to a negative value
will result in a `copy_from_user(ctx.optval, optval, ctx.optlen)` with
`ctx.optlen` being a negative integer.
Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
Signed-off-by: Loris Reiff loris.reiff@liblor.ch
Signed-off-by: Daniel Borkmann daniel@iogearbox.net
Reviewed-by: Stanislav Fomichev sdf@google.com
Link: https://lore.kernel.org/bpf/20210122164232.61770-1-loris.reiff@liblor.ch
Signed-off-by: Sasha Levin sashal@kernel.org
---
 kernel/bpf/cgroup.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 5a8b4dfdb1419..5b2413eb79db4 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1109,6 +1109,11 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
    		goto out;
    	}
+		if (ctx.optlen < 0) {
+			ret = -EFAULT;
+			goto out;
+		}
+
    	if (copy_from_user(ctx.optval, optval,
    			   min(ctx.optlen, max_optlen)) != 0) {
    		ret = -EFAULT;
-- 
2.27.0




    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 5.4 08/65] bpf, cgroup: Fix optlen WARN_ON_ONCE toctou