This is a note to let you know that I've just added the patch titled
bpf, array: fix heap out-of-bounds access when updating elements
to the 4.2-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bpf-array-fix-heap-out-of-bounds-access-when-updating-elements.patch
and it can be found in the queue-4.2 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From foo@baz Fri Dec 11 11:38:35 EST 2015
From: Daniel Borkmann <[email protected]>
Date: Mon, 30 Nov 2015 13:02:56 +0100
Subject: bpf, array: fix heap out-of-bounds access when updating elements
From: Daniel Borkmann <[email protected]>
[ Upstream commit fbca9d2d35c6ef1b323fae75cc9545005ba25097 ]
During own review but also reported by Dmitry's syzkaller [1] it has been
noticed that we trigger a heap out-of-bounds access on eBPF array maps
when updating elements. This happens with each map whose map->value_size
(specified during map creation time) is not multiple of 8 bytes.
In array_map_alloc(), elem_size is round_up(attr->value_size, 8) and
used to align array map slots for faster access. However, in function
array_map_update_elem(), we update the element as ...
memcpy(array->value + array->elem_size * index, value, array->elem_size);
... where we access 'value' out-of-bounds, since it was allocated from
map_update_elem() from syscall side as kmalloc(map->value_size, GFP_USER)
and later on copied through copy_from_user(value, uvalue, map->value_size).
Thus, up to 7 bytes, we can access out-of-bounds.
Same could happen from within an eBPF program, where in worst case we
access beyond an eBPF program's designated stack.
Since 1be7f75d1668 ("bpf: enable non-root eBPF programs") didn't hit an
official release yet, it only affects priviledged users.
In case of array_map_lookup_elem(), the verifier prevents eBPF programs
from accessing beyond map->value_size through check_map_access(). Also
from syscall side map_lookup_elem() only copies map->value_size back to
user, so nothing could leak.
[1] http://github.com/google/syzkaller
Fixes: 28fbcfa08d8e ("bpf: add array type of eBPF maps")
Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Daniel Borkmann <[email protected]>
Acked-by: Alexei Starovoitov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/bpf/arraymap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -104,7 +104,7 @@ static int array_map_update_elem(struct
/* all elements already exist */
return -EEXIST;
- memcpy(array->value + array->elem_size * index, value,
array->elem_size);
+ memcpy(array->value + array->elem_size * index, value, map->value_size);
return 0;
}
Patches currently in stable-queue which might be from [email protected] are
queue-4.2/packet-infer-protocol-from-ethernet-header-if-unset.patch
queue-4.2/bpf-array-fix-heap-out-of-bounds-access-when-updating-elements.patch
queue-4.2/ipv6-sctp-implement-sctp_v6_destroy_sock.patch
queue-4.2/packet-only-allow-extra-vlan-len-on-ethernet-devices.patch
queue-4.2/net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch
queue-4.2/packet-fix-tpacket_snd-max-frame-len.patch
queue-4.2/packet-always-probe-for-transport-header.patch
queue-4.2/packet-do-skb_probe_transport_header-when-we-actually-have-data.patch
queue-4.2/tools-net-use-include-uapi-with-__exported_headers__.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
