Commit d746d61
committed
bpf: Fix out of bounds access for ringbuf helpers
jira VULN-140
cve CVE-2022-23222
commit-author Daniel Borkmann <[email protected]>
commit 64620e0
Both bpf_ringbuf_submit() and bpf_ringbuf_discard() have ARG_PTR_TO_ALLOC_MEM
in their bpf_func_proto definition as their first argument. They both expect
the result from a prior bpf_ringbuf_reserve() call which has a return type of
RET_PTR_TO_ALLOC_MEM_OR_NULL.
Meaning, after a NULL check in the code, the verifier will promote the register
type in the non-NULL branch to a PTR_TO_MEM and in the NULL branch to a known
zero scalar. Generally, pointer arithmetic on PTR_TO_MEM is allowed, so the
latter could have an offset.
The ARG_PTR_TO_ALLOC_MEM expects a PTR_TO_MEM register type. However, the non-
zero result from bpf_ringbuf_reserve() must be fed into either bpf_ringbuf_submit()
or bpf_ringbuf_discard() but with the original offset given it will then read
out the struct bpf_ringbuf_hdr mapping.
The verifier missed to enforce a zero offset, so that out of bounds access
can be triggered which could be used to escalate privileges if unprivileged
BPF was enabled (disabled by default in kernel).
Fixes: 457f443 ("bpf: Implement BPF ring buffer and verifier support for it")
Reported-by: <[email protected]> (SecCoder Security Lab)
Signed-off-by: Daniel Borkmann <[email protected]>
Acked-by: John Fastabend <[email protected]>
Acked-by: Alexei Starovoitov <[email protected]>
(cherry picked from commit 64620e0)
Signed-off-by: Pratham Patel <[email protected]>1 parent 5a0a267 commit d746d61
1 file changed
+6
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4927 | 4927 | | |
4928 | 4928 | | |
4929 | 4929 | | |
| 4930 | + | |
| 4931 | + | |
| 4932 | + | |
| 4933 | + | |
| 4934 | + | |
4930 | 4935 | | |
4931 | 4936 | | |
4932 | 4937 | | |
| 4938 | + | |
4933 | 4939 | | |
4934 | 4940 | | |
4935 | 4941 | | |
| |||
0 commit comments