From: "Daniel Xu" <dxu@dxuuu.xyz>
To: "Andrii Nakryiko" <andrii.nakryiko@gmail.com>
Cc: "bpf" <bpf@vger.kernel.org>,
"open list" <linux-kernel@vger.kernel.org>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Song Liu" <songliubraving@fb.com>,
"Kernel Team" <kernel-team@fb.com>
Subject: Re: [PATCH bpf v5 0/2] Fix bpf_probe_read_user_str() overcopying
Date: Thu, 12 Nov 2020 11:10:59 -0800 [thread overview]
Message-ID: <C71IU5Z0R6UI.29FQP3BCZ65ZC@maharaja> (raw)
In-Reply-To: <CAEf4BzZx=7N6dbKk8Eb_k-FA-PmmPFBJ=V-PLhbDu38wuXkOkw@mail.gmail.com>
On Wed Nov 11, 2020 at 3:22 PM PST, Andrii Nakryiko wrote:
> On Wed, Nov 11, 2020 at 2:46 PM Daniel Xu <dxu@dxuuu.xyz> wrote:
> >
> > 6ae08ae3dea2 ("bpf: Add probe_read_{user, kernel} and probe_read_{user,
> > kernel}_str helpers") introduced a subtle bug where
> > bpf_probe_read_user_str() would potentially copy a few extra bytes after
> > the NUL terminator.
> >
> > This issue is particularly nefarious when strings are used as map keys,
> > as seemingly identical strings can occupy multiple entries in a map.
> >
> > This patchset fixes the issue and introduces a selftest to prevent
> > future regressions.
> >
> > v4 -> v5:
> > * don't read potentially uninitialized memory
>
> I think the bigger problem was that it could overwrite unintended
> memory. E.g., in BPF program, if you had something like:
>
> char my_buf[8 + 3];
> char my_precious_data[5] = {1, 2, 3, 4, 5};
How does that happen?
The
while (max >= sizeof(unsigned long)) {
/* copy 4 bytes */
max -= sizeof(unsigned long)
}
/* copy byte at a time */
where `max` is the user supplied length should prevent that kind of
corruption, right?
[...]
next prev parent reply other threads:[~2020-11-12 19:13 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-11 22:45 [PATCH bpf v5 0/2] Fix bpf_probe_read_user_str() overcopying Daniel Xu
2020-11-11 22:45 ` [PATCH bpf v5 1/2] lib/strncpy_from_user.c: Don't overcopy bytes after NUL terminator Daniel Xu
2020-11-11 23:20 ` Andrii Nakryiko
2020-11-13 17:03 ` Alexei Starovoitov
2020-11-13 18:08 ` Linus Torvalds
2020-11-13 19:17 ` Alexei Starovoitov
2020-11-13 19:29 ` Linus Torvalds
2020-11-13 19:46 ` Linus Torvalds
2020-11-13 20:10 ` Linus Torvalds
2020-11-13 20:57 ` Alexei Starovoitov
2020-11-13 21:14 ` Linus Torvalds
2020-11-11 22:45 ` [PATCH bpf v5 2/2] selftest/bpf: Test bpf_probe_read_user_str() strips trailing bytes after NUL Daniel Xu
2020-11-11 23:22 ` [PATCH bpf v5 0/2] Fix bpf_probe_read_user_str() overcopying Andrii Nakryiko
2020-11-12 19:10 ` Daniel Xu [this message]
2020-11-12 19:24 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C71IU5Z0R6UI.29FQP3BCZ65ZC@maharaja \
--to=dxu@dxuuu.xyz \
--cc=andrii.nakryiko@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=songliubraving@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).