Re: [Potential Spoof] Re: [PATCH 6/6] sysctl: pass kernel pointers to ->proc_handler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andrey Ignatov <rdna@xxxxxx> [Fri, 2020-04-17 12:41 -0700]:
> Christoph Hellwig <hch@xxxxxx> [Thu, 2020-04-16 23:42 -0700]:

...

> > @@ -564,27 +564,36 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
> >  	if (!table->proc_handler)
> >  		goto out;
> >  
> > -	error = BPF_CGROUP_RUN_PROG_SYSCTL(head, table, write, buf, &count,
> > -					   ppos, &new_buf);
> > +	if (write) {
> > +		kbuf = memdup_user_nul(ubuf, count);
> > +		if (IS_ERR(kbuf)) {
> > +			error = PTR_ERR(kbuf);
> > +			goto out;
> > +		}
> > +	} else {
> > +		error = -ENOMEM;
> > +		kbuf = kzalloc(count, GFP_KERNEL);
> > +		if (!kbuf)
> > +			goto out;
> > +	}
> > +
> > +	error = BPF_CGROUP_RUN_PROG_SYSCTL(head, table, write, &kbuf, &count,
> > +					   ppos);
> >  	if (error)
> > -		goto out;
> > +		goto out_free_buf;
> >  
> >  	/* careful: calling conventions are nasty here */
> > -	if (new_buf) {
> > -		mm_segment_t old_fs;
> > -
> > -		old_fs = get_fs();
> > -		set_fs(KERNEL_DS);
> > -		error = table->proc_handler(table, write, (void __user *)new_buf,
> > -					    &count, ppos);
> > -		set_fs(old_fs);
> > -		kfree(new_buf);
> > -	} else {
> > -		error = table->proc_handler(table, write, buf, &count, ppos);
> > -	}
> > +	error = table->proc_handler(table, write, kbuf, &count, ppos);
> > +	if (error)
> > +		goto out_free_buf;
> > +
> > +	error = -EFAULT;
> > +	if (copy_to_user(ubuf, kbuf, count))
> > +		goto out_free_buf;

This copy_to_user is where the last failing test I mentioned in the
previous email was failing:

> Test case: sysctl_set_new_value sysctl:write ok .. [FAIL]

What the test does is it attaches BPF program that overrides the value
that user is trying to write to sysctl net/ipv4/route/mtu_expires.

User tries to write "606", BPF program overrides it with "600" using
bpf_sysctl_set_new_value() helper.

This leads to kbuf being replaced in BPF_CGROUP_RUN_PROG_SYSCTL call
above with a new buffer allocated inside __cgroup_bpf_run_filter_sysctl.
And when this new buffer is tried to be copied to user here it fails.

In `strace -e ./test_sysctl` it can be seen as:

	write(5, "606", 3)                      = -1 EFAULT (Bad address)

I also verified same with printk.

Changing it to:

	if (!write && copy_to_user(ubuf, kbuf, count))

(basically what Matthew Wilcox suggested earlier) fixes the problem.


> >  
> > -	if (!error)
> > -		error = count;
> > +	error = count;
> > +out_free_buf:
> > +	kfree(kbuf);
> >  out:
> >  	sysctl_head_finish(head);
> >  

...

> I applied the whole patchset to bpf-next tree and run selftests. This
> patch breaks 4 of them:
> 
> 	% cd tools/testing/selftests/bpf/
> 	% ./test_sysctl
> 	...
> 	Test case: sysctl_get_new_value sysctl:write ok .. [FAIL]
> 	Test case: sysctl_get_new_value sysctl:write ok long .. [FAIL]
> 	Test case: sysctl_get_new_value sysctl:write E2BIG .. [FAIL]
> 	Test case: sysctl_set_new_value sysctl:read EINVAL .. [PASS]
> 	Test case: sysctl_set_new_value sysctl:write ok .. [FAIL]
> 	...
> 	Summary: 36 PASSED, 4 FAILED
> 
> I applied both changes I suggested above and it reduces number of broken
> selftests to one:
> 
> Test case: sysctl_set_new_value sysctl:write ok .. [FAIL]
> 
> I haven't debugged this last one though yet ..

-- 
Andrey Ignatov



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux