From patchwork Thu Apr  4 06:22:37 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrey Ignatov <rdna@fb.com>
X-Patchwork-Id: 1076853
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=fb.com
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=fb.com header.i=@fb.com header.b="dLLJk3yf";
	dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 44ZXv84f7pz9sRW
	for <patchwork-incoming-netdev@ozlabs.org>;
	Thu,  4 Apr 2019 17:23:16 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1726031AbfDDGXP (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Thu, 4 Apr 2019 02:23:15 -0400
Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:38482 "EHLO
	mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1726462AbfDDGXO (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 4 Apr 2019 02:23:14 -0400
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1])
	by mx0a-00082601.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id
	x346JN04013853
	for <netdev@vger.kernel.org>; Wed, 3 Apr 2019 23:23:13 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com;
	h=from : to : cc : subject
	: date : message-id : in-reply-to : references : mime-version :
	content-type; s=facebook;
	bh=KasC4DDIh4s37wNHbKGXaQXMN1NlXAwcjuzeTFZGokA=;
	b=dLLJk3yfQAhDAIdsKtddt0eg6DpNyo5sa1rG2IvIwodaNU5U7NEQ/aSJz/axzDPuUpYG
	jTqWOcxnx0AWEomtYVhUd+WL329OjZHdjkuV3dsRkQUfcds1gW7OXMh80fVZ5H4iTcIe
	wQs4oUQBLE2m/TB0vOIQVbdicCJPbT5WFQc=
Received: from mail.thefacebook.com ([199.201.64.23])
	by mx0a-00082601.pphosted.com with ESMTP id 2rn1ejt6gk-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT)
	for <netdev@vger.kernel.org>; Wed, 03 Apr 2019 23:23:13 -0700
Received: from mx-out.facebook.com (2620:10d:c081:10::13) by
	mail.thefacebook.com (2620:10d:c081:35::129) with Microsoft SMTP
	Server
	(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id
	15.1.1713.5; Wed, 3 Apr 2019 23:23:12 -0700
Received: by dev082.prn2.facebook.com (Postfix, from userid 572249)
	id E24FF3702EB4; Wed,  3 Apr 2019 23:23:11 -0700 (PDT)
Smtp-Origin-Hostprefix: dev
From: Andrey Ignatov <rdna@fb.com>
Smtp-Origin-Hostname: dev082.prn2.facebook.com
To: <netdev@vger.kernel.org>
CC: Andrey Ignatov <rdna@fb.com>, <ast@kernel.org>,
	<daniel@iogearbox.net>, <kernel-team@fb.com>
Smtp-Origin-Cluster: prn2c23
Subject: [PATCH v3 bpf-next 1/7] bpf: Reject indirect var_off stack access
	in raw mode
Date: Wed, 3 Apr 2019 23:22:37 -0700
Message-ID: 
 <7c56c0ea7c0e59664d2566fd419c6cb7ea3efc3c.1554358433.git.rdna@fb.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <cover.1554358433.git.rdna@fb.com>
References: <cover.1554358433.git.rdna@fb.com>
X-FB-Internal: Safe
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
	definitions=2019-04-04_03:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

It's hard to guarantee that whole memory is marked as initialized on
helper return if uninitialized stack is accessed with variable offset
since specific bounds are unknown to verifier. This may cause
uninitialized stack leaking.

Reject such an access in check_stack_boundary to prevent possible
leaking.

There are no known use-cases for indirect uninitialized stack access
with variable offset so it shouldn't break anything.

Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers")
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Andrey Ignatov <rdna@fb.com>
---
 kernel/bpf/verifier.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0fd4946387bb..e9c093e632f2 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2226,6 +2226,15 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
 		if (err)
 			return err;
 	} else {
+		/* Only initialized buffer on stack is allowed to be accessed
+		 * with variable offset. With uninitialized buffer it's hard to
+		 * guarantee that whole memory is marked as initialized on
+		 * helper return since specific bounds are unknown what may
+		 * cause uninitialized stack leaking.
+		 */
+		if (meta && meta->raw_mode)
+			meta = NULL;
+
 		min_off = reg->smin_value + reg->off;
 		max_off = reg->umax_value + reg->off;
 		err = __check_stack_boundary(env, regno, min_off, access_size,