diff options
| author | David S. Miller <davem@davemloft.net> | 2010-11-10 13:38:24 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2010-11-10 13:38:24 -0500 |
| commit | 57fe93b374a6b8711995c2d466c502af9f3a08bb (patch) | |
| tree | 12648abf4c941275e5a12a8416e8fa6a92276753 /net/core | |
| parent | fe10ae53384e48c51996941b7720ee16995cbcb7 (diff) | |
filter: make sure filters dont read uninitialized memory
There is a possibility malicious users can get limited information about
uninitialized stack mem array. Even if sk_run_filter() result is bound
to packet length (0 .. 65535), we could imagine this can be used by
hostile user.
Initializing mem[] array, like Dan Rosenberg suggested in his patch is
expensive since most filters dont even use this array.
Its hard to make the filter validation in sk_chk_filter(), because of
the jumps. This might be done later.
In this patch, I use a bitmap (a single long var) so that only filters
using mem[] loads/stores pay the price of added security checks.
For other filters, additional cost is a single instruction.
[ Since we access fentry->k a lot now, cache it in a local variable
and mark filter entry pointer as const. -DaveM ]
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
| -rw-r--r-- | net/core/filter.c | 64 |
1 files changed, 35 insertions, 29 deletions
diff --git a/net/core/filter.c b/net/core/filter.c index 7beaec36b541..23e9b2a6b4c8 100644 --- a/net/core/filter.c +++ b/net/core/filter.c | |||
| @@ -112,39 +112,41 @@ EXPORT_SYMBOL(sk_filter); | |||
| 112 | */ | 112 | */ |
| 113 | unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen) | 113 | unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen) |
| 114 | { | 114 | { |
| 115 | struct sock_filter *fentry; /* We walk down these */ | ||
| 116 | void *ptr; | 115 | void *ptr; |
| 117 | u32 A = 0; /* Accumulator */ | 116 | u32 A = 0; /* Accumulator */ |
| 118 | u32 X = 0; /* Index Register */ | 117 | u32 X = 0; /* Index Register */ |
| 119 | u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */ | 118 | u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */ |
| 119 | unsigned long memvalid = 0; | ||
| 120 | u32 tmp; | 120 | u32 tmp; |
| 121 | int k; | 121 | int k; |
| 122 | int pc; | 122 | int pc; |
| 123 | 123 | ||
| 124 | BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG); | ||
| 124 | /* | 125 | /* |
| 125 | * Process array of filter instructions. | 126 | * Process array of filter instructions. |
| 126 | */ | 127 | */ |
| 127 | for (pc = 0; pc < flen; pc++) { | 128 | for (pc = 0; pc < flen; pc++) { |
| 128 | fentry = &filter[pc]; | 129 | const struct sock_filter *fentry = &filter[pc]; |
| 130 | u32 f_k = fentry->k; | ||
| 129 | 131 | ||
| 130 | switch (fentry->code) { | 132 | switch (fentry->code) { |
| 131 | case BPF_S_ALU_ADD_X: | 133 | case BPF_S_ALU_ADD_X: |
| 132 | A += X; | 134 | A += X; |
| 133 | continue; | 135 | continue; |
| 134 | case BPF_S_ALU_ADD_K: | 136 | case BPF_S_ALU_ADD_K: |
| 135 | A += fentry->k; | 137 | A += f_k; |
| 136 | continue; | 138 | continue; |
| 137 | case BPF_S_ALU_SUB_X: | 139 | case BPF_S_ALU_SUB_X: |
| 138 | A -= X; | 140 | A -= X; |
| 139 | continue; | 141 | continue; |
| 140 | case BPF_S_ALU_SUB_K: | 142 | case BPF_S_ALU_SUB_K: |
| 141 | A -= fentry->k; | 143 | A -= f_k; |
| 142 | continue; | 144 | continue; |
| 143 | case BPF_S_ALU_MUL_X: | 145 | case BPF_S_ALU_MUL_X: |
| 144 | A *= X; | 146 | A *= X; |
| 145 | continue; | 147 | continue; |
| 146 | case BPF_S_ALU_MUL_K: | 148 | case BPF_S_ALU_MUL_K: |
| 147 | A *= fentry->k; | 149 | A *= f_k; |
| 148 | continue; | 150 | continue; |
| 149 | case BPF_S_ALU_DIV_X: | 151 | case BPF_S_ALU_DIV_X: |
| 150 | if (X == 0) | 152 | if (X == 0) |
| @@ -152,49 +154,49 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int | |||
| 152 | A /= X; | 154 | A /= X; |
| 153 | continue; | 155 | continue; |
| 154 | case BPF_S_ALU_DIV_K: | 156 | case BPF_S_ALU_DIV_K: |
| 155 | A /= fentry->k; | 157 | A /= f_k; |
| 156 | continue; | 158 | continue; |
| 157 | case BPF_S_ALU_AND_X: | 159 | case BPF_S_ALU_AND_X: |
| 158 | A &= X; | 160 | A &= X; |
| 159 | continue; | 161 | continue; |
| 160 | case BPF_S_ALU_AND_K: | 162 | case BPF_S_ALU_AND_K: |
| 161 | A &= fentry->k; | 163 | A &= f_k; |
| 162 | continue; | 164 | continue; |
| 163 | case BPF_S_ALU_OR_X: | 165 | case BPF_S_ALU_OR_X: |
| 164 | A |= X; | 166 | A |= X; |
| 165 | continue; | 167 | continue; |
| 166 | case BPF_S_ALU_OR_K: | 168 | case BPF_S_ALU_OR_K: |
| 167 | A |= fentry->k; | 169 | A |= f_k; |
| 168 | continue; | 170 | continue; |
| 169 | case BPF_S_ALU_LSH_X: | 171 | case BPF_S_ALU_LSH_X: |
| 170 | A <<= X; | 172 | A <<= X; |
| 171 | continue; | 173 | continue; |
| 172 | case BPF_S_ALU_LSH_K: | 174 | case BPF_S_ALU_LSH_K: |
| 173 | A <<= fentry->k; | 175 | A <<= f_k; |
| 174 | continue; | 176 | continue; |
| 175 | case BPF_S_ALU_RSH_X: | 177 | case BPF_S_ALU_RSH_X: |
| 176 | A >>= X; | 178 | A >>= X; |
| 177 | continue; | 179 | continue; |
| 178 | case BPF_S_ALU_RSH_K: | 180 | case BPF_S_ALU_RSH_K: |
| 179 | A >>= fentry->k; | 181 | A >>= f_k; |
| 180 | continue; | 182 | continue; |
| 181 | case BPF_S_ALU_NEG: | 183 | case BPF_S_ALU_NEG: |
| 182 | A = -A; | 184 | A = -A; |
| 183 | continue; | 185 | continue; |
| 184 | case BPF_S_JMP_JA: | 186 | case BPF_S_JMP_JA: |
| 185 | pc += fentry->k; | 187 | pc += f_k; |
| 186 | continue; | 188 | continue; |
| 187 | case BPF_S_JMP_JGT_K: | 189 | case BPF_S_JMP_JGT_K: |
| 188 | pc += (A > fentry->k) ? fentry->jt : fentry->jf; | 190 | pc += (A > f_k) ? fentry->jt : fentry->jf; |
| 189 | continue; | 191 | continue; |
| 190 | case BPF_S_JMP_JGE_K: | 192 | case BPF_S_JMP_JGE_K: |
| 191 | pc += (A >= fentry->k) ? fentry->jt : fentry->jf; | 193 | pc += (A >= f_k) ? fentry->jt : fentry->jf; |
| 192 | continue; | 194 | continue; |
| 193 | case BPF_S_JMP_JEQ_K: | 195 | case BPF_S_JMP_JEQ_K: |
| 194 | pc += (A == fentry->k) ? fentry->jt : fentry->jf; | 196 | pc += (A == f_k) ? fentry->jt : fentry->jf; |
| 195 | continue; | 197 | continue; |
| 196 | case BPF_S_JMP_JSET_K: | 198 | case BPF_S_JMP_JSET_K: |
| 197 | pc += (A & fentry->k) ? fentry->jt : fentry->jf; | 199 | pc += (A & f_k) ? fentry->jt : fentry->jf; |
| 198 | continue; | 200 | continue; |
| 199 | case BPF_S_JMP_JGT_X: | 201 | case BPF_S_JMP_JGT_X: |
| 200 | pc += (A > X) ? fentry->jt : fentry->jf; | 202 | pc += (A > X) ? fentry->jt : fentry->jf; |
| @@ -209,7 +211,7 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int | |||
| 209 | pc += (A & X) ? fentry->jt : fentry->jf; | 211 | pc += (A & X) ? fentry->jt : fentry->jf; |
| 210 | continue; | 212 | continue; |
| 211 | case BPF_S_LD_W_ABS: | 213 | case BPF_S_LD_W_ABS: |
| 212 | k = fentry->k; | 214 | k = f_k; |
| 213 | load_w: | 215 | load_w: |
| 214 | ptr = load_pointer(skb, k, 4, &tmp); | 216 | ptr = load_pointer(skb, k, 4, &tmp); |
| 215 | if (ptr != NULL) { | 217 | if (ptr != NULL) { |
| @@ -218,7 +220,7 @@ load_w: | |||
| 218 | } | 220 | } |
| 219 | break; | 221 | break; |
| 220 | case BPF_S_LD_H_ABS: | 222 | case BPF_S_LD_H_ABS: |
| 221 | k = fentry->k; | 223 | k = f_k; |
| 222 | load_h: | 224 | load_h: |
| 223 | ptr = load_pointer(skb, k, 2, &tmp); | 225 | ptr = load_pointer(skb, k, 2, &tmp); |
| 224 | if (ptr != NULL) { | 226 | if (ptr != NULL) { |
| @@ -227,7 +229,7 @@ load_h: | |||
| 227 | } | 229 | } |
| 228 | break; | 230 | break; |
| 229 | case BPF_S_LD_B_ABS: | 231 | case BPF_S_LD_B_ABS: |
| 230 | k = fentry->k; | 232 | k = f_k; |
| 231 | load_b: | 233 | load_b: |
| 232 | ptr = load_pointer(skb, k, 1, &tmp); | 234 | ptr = load_pointer(skb, k, 1, &tmp); |
| 233 | if (ptr != NULL) { | 235 | if (ptr != NULL) { |
| @@ -242,32 +244,34 @@ load_b: | |||
| 242 | X = skb->len; | 244 | X = skb->len; |
| 243 | continue; | 245 | continue; |
| 244 | case BPF_S_LD_W_IND: | 246 | case BPF_S_LD_W_IND: |
| 245 | k = X + fentry->k; | 247 | k = X + f_k; |
| 246 | goto load_w; | 248 | goto load_w; |
| 247 | case BPF_S_LD_H_IND: | 249 | case BPF_S_LD_H_IND: |
| 248 | k = X + fentry->k; | 250 | k = X + f_k; |
| 249 | goto load_h; | 251 | goto load_h; |
| 250 | case BPF_S_LD_B_IND: | 252 | case BPF_S_LD_B_IND: |
| 251 | k = X + fentry->k; | 253 | k = X + f_k; |
| 252 | goto load_b; | 254 | goto load_b; |
| 253 | case BPF_S_LDX_B_MSH: | 255 | case BPF_S_LDX_B_MSH: |
| 254 | ptr = load_pointer(skb, fentry->k, 1, &tmp); | 256 | ptr = load_pointer(skb, f_k, 1, &tmp); |
| 255 | if (ptr != NULL) { | 257 | if (ptr != NULL) { |
| 256 | X = (*(u8 *)ptr & 0xf) << 2; | 258 | X = (*(u8 *)ptr & 0xf) << 2; |
| 257 | continue; | 259 | continue; |
| 258 | } | 260 | } |
| 259 | return 0; | 261 | return 0; |
| 260 | case BPF_S_LD_IMM: | 262 | case BPF_S_LD_IMM: |
| 261 | A = fentry->k; | 263 | A = f_k; |
| 262 | continue; | 264 | continue; |
| 263 | case BPF_S_LDX_IMM: | 265 | case BPF_S_LDX_IMM: |
| 264 | X = fentry->k; | 266 | X = f_k; |
| 265 | continue; | 267 | continue; |
| 266 | case BPF_S_LD_MEM: | 268 | case BPF_S_LD_MEM: |
| 267 | A = mem[fentry->k]; | 269 | A = (memvalid & (1UL << f_k)) ? |
| 270 | mem[f_k] : 0; | ||
| 268 | continue; | 271 | continue; |
| 269 | case BPF_S_LDX_MEM: | 272 | case BPF_S_LDX_MEM: |
| 270 | X = mem[fentry->k]; | 273 | X = (memvalid & (1UL << f_k)) ? |
| 274 | mem[f_k] : 0; | ||
| 271 | continue; | 275 | continue; |
| 272 | case BPF_S_MISC_TAX: | 276 | case BPF_S_MISC_TAX: |
| 273 | X = A; | 277 | X = A; |
| @@ -276,14 +280,16 @@ load_b: | |||
| 276 | A = X; | 280 | A = X; |
| 277 | continue; | 281 | continue; |
| 278 | case BPF_S_RET_K: | 282 | case BPF_S_RET_K: |
| 279 | return fentry->k; | 283 | return f_k; |
| 280 | case BPF_S_RET_A: | 284 | case BPF_S_RET_A: |
| 281 | return A; | 285 | return A; |
| 282 | case BPF_S_ST: | 286 | case BPF_S_ST: |
| 283 | mem[fentry->k] = A; | 287 | memvalid |= 1UL << f_k; |
| 288 | mem[f_k] = A; | ||
| 284 | continue; | 289 | continue; |
| 285 | case BPF_S_STX: | 290 | case BPF_S_STX: |
| 286 | mem[fentry->k] = X; | 291 | memvalid |= 1UL << f_k; |
| 292 | mem[f_k] = X; | ||
| 287 | continue; | 293 | continue; |
| 288 | default: | 294 | default: |
| 289 | WARN_ON(1); | 295 | WARN_ON(1); |