From: Peter Zijlstra <peterz@infradead.org>
To: Kevin Sheldrake <Kevin.Sheldrake@microsoft.com>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Ingo Molnar <mingo@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Network Development <netdev@vger.kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>,
KP Singh <kpsingh@google.com>
Subject: Re: [EXTERNAL] Re: [PATCH bpf-next v2] Update perf ring buffer to prevent corruption
Date: Mon, 9 Nov 2020 18:55:12 +0100 [thread overview]
Message-ID: <20201109175512.GQ2594@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <VI1PR8303MB0080D892288E0137AA585778FBEA0@VI1PR8303MB0080.EURPRD83.prod.outlook.com>
On Mon, Nov 09, 2020 at 02:22:28PM +0000, Kevin Sheldrake wrote:
> I triggered the corruption by sending samples larger than 64KB-24 bytes
> to a perf ring buffer from eBPF using bpf_perf_event_output(). The u16
> that holds the size in the struct perf_event_header is overflowed and
> the distance between adjacent samples in the perf ring buffer is set
> by this overflowed value; hence if samples of 64KB are sent, adjacent
> samples are placed 24 bytes apart in the ring buffer, with the later ones
> overwriting parts of the earlier ones. If samples aren't read as quickly
> as they are received, then they are corrupted by the time they are read.
>
> Attempts to fix this in the eBPF verifier failed as the actual sample is
> constructed from a variable sized header in addition to the raw data
> supplied from eBPF. The sample is constructed in perf_prepare_sample(),
> outside of the eBPF engine.
>
> My proposed fix is to check that the constructed size is <U16_MAX before
> committing it to the struct perf_event_header::size variable.
>
> A reproduction of the bug can be found at:
> https://github.com/microsoft/OMS-Auditd-Plugin/tree/MSTIC-Research/ebpf_perf_output_poc
OK, so I can't actually operate any of this fancy BPF nonsense. But if
I'm not mistaken this calls into:
kernel/trace/bpf_trace.c:BPF_CALL_5(bpf_perf_event_output) with a giant
@data.
Let me try and figure out what that code does.
next prev parent reply other threads:[~2020-11-09 17:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-05 15:16 [PATCH bpf-next v2] Update perf ring buffer to prevent corruption Kevin Sheldrake
2020-11-05 19:07 ` Andrii Nakryiko
2020-11-05 19:37 ` KP Singh
2020-11-06 4:19 ` Alexei Starovoitov
2020-11-09 11:29 ` Peter Zijlstra
2020-11-09 14:22 ` [EXTERNAL] " Kevin Sheldrake
2020-11-09 17:55 ` Peter Zijlstra [this message]
2020-11-09 18:22 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201109175512.GQ2594@hirez.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=Kevin.Sheldrake@microsoft.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@google.com \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.