Re: [RFC v3 04/22] bpf: Set register type according to is_valid_access()

[RFC v3 00/22] Landlock LSM: Unprivileged sandboxing · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 01/22] landlock: Add Kconfig · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 04/22] bpf: Set register type according to is_valid_access() · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 04/22] bpf: Set register type according to is_valid_access() · Thomas Graf <tgraf@suug.ch> · 2016-10-19
Re: [RFC v3 04/22] bpf: Set register type according to is_valid_access() · Daniel Borkmann <daniel@iogearbox.net> · 2016-10-19
[RFC v3 02/22] bpf: Move u64_to_ptr() to BPF headers and inline it · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 09/22] seccomp: Move struct seccomp_filter in seccomp.h · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 08/22] seccomp: Fix documentation for struct seccomp_filter · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 16/22] bpf/cgroup,landlock: Handle Landlock hooks per cgroup · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 16/22] bpf/cgroup,landlock: Handle Landlock hooks per cgroup · Kees Cook <hidden> · 2016-10-03
Re: [RFC v3 16/22] bpf/cgroup,landlock: Handle Landlock hooks per cgroup · Mickaël Salaün <mic@digikod.net> · 2016-10-05
Re: [RFC v3 16/22] bpf/cgroup,landlock: Handle Landlock hooks per cgroup · Kees Cook <hidden> · 2016-10-05
[RFC v3 20/22] landlock: Add update and debug access flags · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 22/22] samples/landlock: Add sandbox example · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 22/22] samples/landlock: Add sandbox example · Alexei Starovoitov <hidden> · 2016-09-14
[RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Andy Lutomirski <luto@amacapital.net> · 2016-09-14
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Andy Lutomirski <luto@amacapital.net> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Alexei Starovoitov <hidden> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Andy Lutomirski <luto@amacapital.net> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Alexei Starovoitov <hidden> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Andy Lutomirski <luto@amacapital.net> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Alexei Starovoitov <hidden> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Andy Lutomirski <luto@amacapital.net> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Alexei Starovoitov <hidden> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-15
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Sargun Dhillon <hidden> · 2016-09-20
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-20
Re: [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-15
[RFC v3 17/22] cgroup: Add access check for cgroup_get_from_fd() · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 17/22] cgroup: Add access check for cgroup_get_from_fd() · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 21/22] bpf,landlock: Add optional skb pointer in the Landlock context · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 21/22] bpf,landlock: Add optional skb pointer in the Landlock context · Alexei Starovoitov <hidden> · 2016-09-14
Re: [RFC v3 21/22] bpf,landlock: Add optional skb pointer in the Landlock context · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy · Andy Lutomirski <luto@amacapital.net> · 2016-09-14
Re: [RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy · Kees Cook <hidden> · 2016-10-03
Re: [RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy · Mickaël Salaün <mic@digikod.net> · 2016-10-05
[RFC v3 19/22] landlock: Add interrupted origin · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 19/22] landlock: Add interrupted origin · Andy Lutomirski <luto@amacapital.net> · 2016-09-14
Re: [RFC v3 19/22] landlock: Add interrupted origin · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 19/22] landlock: Add interrupted origin · Andy Lutomirski <luto@amacapital.net> · 2016-09-15
Re: [RFC v3 19/22] landlock: Add interrupted origin · Kees Cook <hidden> · 2016-10-03
Re: [RFC v3 19/22] landlock: Add interrupted origin · Mickaël Salaün <mic@digikod.net> · 2016-10-05
[RFC v3 06/22] landlock: Add LSM hooks · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 06/22] landlock: Add LSM hooks · Thomas Graf <tgraf@suug.ch> · 2016-10-19
Re: [RFC v3 06/22] landlock: Add LSM hooks · Mickaël Salaün <mic@digikod.net> · 2016-10-19
[RFC v3 07/22] landlock: Handle file comparisons · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Jann Horn <hidden> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Alexei Starovoitov <hidden> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Alexei Starovoitov <hidden> · 2016-09-14
Re: [RFC v3 07/22] landlock: Handle file comparisons · Mickaël Salaün <mic@digikod.net> · 2016-09-15
lsm naming dilemma. Re: [RFC v3 07/22] landlock: Handle file comparisons · Alexei Starovoitov <hidden> · 2016-09-20
Re: lsm naming dilemma. Re: [RFC v3 07/22] landlock: Handle file comparisons · Sargun Dhillon <hidden> · 2016-09-20
Re: lsm naming dilemma. Re: [RFC v3 07/22] landlock: Handle file comparisons · Mickaël Salaün <mic@digikod.net> · 2016-09-20
Re: [RFC v3 07/22] landlock: Handle file comparisons · Kees Cook <hidden> · 2016-10-03
[RFC v3 13/22] bpf/cgroup: Replace struct bpf_prog with union bpf_object · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Alexei Starovoitov <hidden> · 2016-09-14
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Alexei Starovoitov <hidden> · 2016-09-14
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Mickaël Salaün <mic@digikod.net> · 2016-09-15
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Kees Cook <hidden> · 2016-10-03
Re: [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles · Mickaël Salaün <mic@digikod.net> · 2016-10-05
[RFC v3 12/22] bpf: Cosmetic change for bpf_prog_attach() · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 10/22] seccomp: Split put_seccomp_filter() with put_seccomp() · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 15/22] bpf/cgroup: Move capability check · Mickaël Salaün <mic@digikod.net> · 2016-09-14
[RFC v3 14/22] bpf/cgroup: Make cgroup_bpf_update() return an error code · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 14/22] bpf/cgroup: Make cgroup_bpf_update() return an error code · Alexei Starovoitov <hidden> · 2016-09-14
[RFC v3 05/22] bpf,landlock: Add eBPF program subtype and is_valid_subtype() verifier · Mickaël Salaün <mic@digikod.net> · 2016-09-14
Re: [RFC v3 05/22] bpf,landlock: Add eBPF program subtype and is_valid_subtype() verifier · Thomas Graf <tgraf@suug.ch> · 2016-10-19
RE: [RFC v3 00/22] Landlock LSM: Unprivileged sandboxing · David Laight <hidden> · 2016-09-14

From: Thomas Graf <tgraf@suug.ch>
Date: 2016-10-19 14:54:50
Also in: cgroups, linux-api, lkml

On 09/14/16 at 09:23am, Mickaël Salaün wrote:

This fix a pointer leak when an unprivileged eBPF program read a pointer
value from the context. Even if is_valid_access() returns a pointer
type, the eBPF verifier replace it with UNKNOWN_VALUE. The register
value containing an address is then allowed to leak. Moreover, this
prevented unprivileged eBPF programs to use functions with (legitimate)
pointer arguments.

This bug was not a problem until now because the only unprivileged eBPF
program allowed is of type BPF_PROG_TYPE_SOCKET_FILTER and all the types
from its context are UNKNOWN_VALUE.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Fixes: 969bf05eb3ce ("bpf: direct packet access")
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>

Can you post this fix separately? It's valid and needed outside of the
scope of this series.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help