[linux-5.16.y,0/9] Fix bpf mem read/write vulnerability.

Message ID	20220216225209.2196865-1-haoluo@google.com
Headers	show Return-Path: <stable-owner@kernel.org> Date: Wed, 16 Feb 2022 14:52:00 -0800 Message-Id: <20220216225209.2196865-1-haoluo@google.com> Mime-Version: 1.0 Subject: [PATCH stable linux-5.16.y 0/9] Fix bpf mem read/write vulnerability. From: Hao Luo <haoluo@google.com> To: Greg KH <gregkh@linuxfoundation.org> Cc: Alexei Starovoitov <ast@kernel.org>, Andrii Nakryiko <andrii@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, laura@labbott.name, stable@vger.kernel.org, Hao Luo <haoluo@google.com> Content-Type: text/plain; charset="UTF-8" Precedence: bulk
Series	Fix bpf mem read/write vulnerability. \| expand [linux-5.16.y,0/9] Fix bpf mem read/write vulnerability. [linux-5.16.y,2/9] bpf: Replace ARG_XXX_OR_NULL with ARG_XXX \| PTR_MAYBE_NULL [linux-5.16.y,5/9] bpf: Introduce MEM_RDONLY flag [linux-5.16.y,6/9] bpf: Convert PTR_TO_MEM_OR_NULL to composable types. [linux-5.16.y,8/9] bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem.

Message ID

20220216225209.2196865-1-haoluo@google.com

Headers

Date: Wed, 16 Feb 2022 14:52:00 -0800
Message-Id: <20220216225209.2196865-1-haoluo@google.com>
Mime-Version: 1.0
Subject: [PATCH stable linux-5.16.y 0/9] Fix bpf mem read/write vulnerability.
From: Hao Luo <haoluo@google.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
        Andrii Nakryiko <andrii@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>, laura@labbott.name,
        stable@vger.kernel.org, Hao Luo <haoluo@google.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

Series

Fix bpf mem read/write vulnerability. | expand

Message

Hao Luo Feb. 16, 2022, 10:52 p.m. UTC

Hi Greg,

Please consider cherry-pick this patch series into 5.16.x stable. It
includes a fix to a bug in 5.16 stable which allows a user with cap_bpf
privileges to get root privileges. The patch that fixes the bug is

 patch 7/9: bpf: Make per_cpu_ptr return rdonly

The rest are the depedences required by the fix patch. This patchset has
been merged in mainline v5.17. The patches were not planned to backport
because of its complex dependences.

Tested by compile, build and run through a subset of bpf test_progs.

Hao Luo (9):
  bpf: Introduce composable reg, ret and arg types.
  bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL
  bpf: Replace RET_XXX_OR_NULL with RET_XXX | PTR_MAYBE_NULL
  bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL
  bpf: Introduce MEM_RDONLY flag
  bpf: Convert PTR_TO_MEM_OR_NULL to composable types.
  bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM.
  bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem.
  bpf/selftests: Test PTR_TO_RDONLY_MEM

 include/linux/bpf.h                           | 101 +++-
 include/linux/bpf_verifier.h                  |  17 +
 kernel/bpf/btf.c                              |  12 +-
 kernel/bpf/cgroup.c                           |   2 +-
 kernel/bpf/helpers.c                          |  12 +-
 kernel/bpf/map_iter.c                         |   4 +-
 kernel/bpf/ringbuf.c                          |   2 +-
 kernel/bpf/syscall.c                          |   2 +-
 kernel/bpf/verifier.c                         | 488 +++++++++---------
 kernel/trace/bpf_trace.c                      |  26 +-
 net/core/bpf_sk_storage.c                     |   2 +-
 net/core/filter.c                             |  64 +--
 net/core/sock_map.c                           |   2 +-
 .../selftests/bpf/prog_tests/ksyms_btf.c      |  14 +
 .../bpf/progs/test_ksyms_btf_write_check.c    |  29 ++
 15 files changed, 444 insertions(+), 333 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/progs/test_ksyms_btf_write_check.c

Comments

Hao Luo Feb. 17, 2022, 7:59 p.m. UTC | #1

On Thu, Feb 17, 2022 at 11:05 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Wed, Feb 16, 2022 at 02:52:00PM -0800, Hao Luo wrote:
> > Hi Greg,
> >
> > Please consider cherry-pick this patch series into 5.16.x stable. It
> > includes a fix to a bug in 5.16 stable which allows a user with cap_bpf
> > privileges to get root privileges. The patch that fixes the bug is
> >
> >  patch 7/9: bpf: Make per_cpu_ptr return rdonly
> >
> > The rest are the depedences required by the fix patch. This patchset has
> > been merged in mainline v5.17. The patches were not planned to backport
> > because of its complex dependences.
>
> How about 5.10 or 5.15?  Any chance to backport them there too?
>

If I understand correctly, the attack requires commit:

541c3bad8dc5 bpf: Support BPF ksym variables in kernel modules

which is included in 5.12. The attacker needs to load a self-defined
btf. I'm taking a look at backporting to 5.15.