On Fri, Mar 20, 2020 at 05:04:24PM +0100, Daniel Borkmann wrote: > On 3/20/20 4:45 PM, Greg Kroah-Hartman wrote: > > On Fri, Mar 20, 2020 at 04:24:32PM +0100, Daniel Borkmann wrote: > > > On 3/20/20 10:48 AM, Greg Kroah-Hartman wrote: > > > > For the bpf syscall, we are relying on the compiler to properly zero out > > > > the bpf_attr union that we copy userspace data into. Unfortunately that > > > > doesn't always work properly, padding and other oddities might not be > > > > correctly zeroed, and in some tests odd things have been found when the > > > > stack is pre-initialized to other values. > > > > > > > > Fix this by explicitly memsetting the structure to 0 before using it. > > > > > > > > Reported-by: Maciej Żenczykowski <maze@xxxxxxxxxx> > > > > Reported-by: John Stultz <john.stultz@xxxxxxxxxx> > > > > Reported-by: Alexander Potapenko <glider@xxxxxxxxxx> > > > > Reported-by: Alistair Delva <adelva@xxxxxxxxxx> > > > > Cc: stable <stable@xxxxxxxxxxxxxxx> > > > > Link: https://android-review.googlesource.com/c/kernel/common/+/1235490 > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > > > --- > > > > kernel/bpf/syscall.c | 3 ++- > > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > > > > index a91ad518c050..a4b1de8ea409 100644 > > > > --- a/kernel/bpf/syscall.c > > > > +++ b/kernel/bpf/syscall.c > > > > @@ -3354,7 +3354,7 @@ static int bpf_map_do_batch(const union bpf_attr *attr, > > > > SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size) > > > > { > > > > - union bpf_attr attr = {}; > > > > + union bpf_attr attr; > > > > int err; > > > > if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) > > > > @@ -3366,6 +3366,7 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz > > > > size = min_t(u32, size, sizeof(attr)); > > > > /* copy attributes from user space, may be less than sizeof(bpf_attr) */ > > > > + memset(&attr, 0, sizeof(attr)); > > > > > > Thanks for the fix, there are a few more of these places. We would also need > > > to cover: > > > > > > - bpf_prog_get_info_by_fd() > > > > Unless I am mistaken, struct bpf_prog_info is packed fully, with no > > holes, so this shouldn't be an issue there. > > It does have a '/* XXX 31 bits hole, try to pack */' but I presume the compiler > might simply zero it in this case. > > > > - bpf_map_get_info_by_fd() > > > > No padding in struct bpf_map_info that I can see, so I doubt this is > > needed there. > > > > > - btf_get_info_by_fd() > > > > There is no padding in struct bpf_btf_info, so that's not needed there, > > but I can add it if you really want. > > > > I can change these, but I don't think that there currently is a bug in > > those functions, unlike with "union bpf_attr" which, as Yonghong points > > out, is tripping on the CHECK_ATTR() test later on. > > Got it, my main concern is that the next time someone extends these fields with > new members we could potentially add holes in there as well and we'll run into > the same issue twice, example from the past is b85fab0e67b1 ("bpf: Add gpl_compatible > flag to struct bpf_prog_info"). Fair enough, I'll make a second patch for this, as there's no known issue today with those initializations that need to be backported to the stable tree :) thanks, greg k-h
