On Fri, Jan 22, 2021 at 8:43 AM Loris Reiff <loris.reiff@xxxxxxxxx> wrote:
>
> A toctou issue in `__cgroup_bpf_run_filter_getsockopt` can trigger a
> WARN_ON_ONCE in a check of `copy_from_user`.
> `*optlen` is checked to be non-negative in the individual getsockopt
> functions beforehand. Changing `*optlen` in a race to a negative value
> will result in a `copy_from_user(ctx.optval, optval, ctx.optlen)` with
> `ctx.optlen` being a negative integer.
>
> Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
> Signed-off-by: Loris Reiff <loris.reiff@xxxxxxxxx>
> ---
> kernel/bpf/cgroup.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index 96555a8a2..6ec8f02f4 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
> @@ -1442,6 +1442,11 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
> goto out;
> }
>
> + if (ctx.optlen < 0) {
> + ret = -EFAULT;
> + goto out;
> + }
> +
> if (copy_from_user(ctx.optval, optval,
> min(ctx.optlen, max_optlen)) != 0) {
> ret = -EFAULT;
> --
> 2.29.2
Good point, user's optlen can be concurrently changed after the kernel
updated it.
Reviewed-by: Stanislav Fomichev <sdf@xxxxxxxxxx>
