• Wenwen Wang's avatar
    bpf: btf: Fix a missing check bug · 8af03d1a
    Wenwen Wang authored
    In btf_parse_hdr(), the length of the btf data header is firstly copied
    from the user space to 'hdr_len' and checked to see whether it is larger
    than 'btf_data_size'. If yes, an error code EINVAL is returned. Otherwise,
    the whole header is copied again from the user space to 'btf->hdr'.
    However, after the second copy, there is no check between
    'btf->hdr->hdr_len' and 'hdr_len' to confirm that the two copies get the
    same value. Given that the btf data is in the user space, a malicious user
    can race to change the data between the two copies. By doing so, the user
    can provide malicious data to the kernel and cause undefined behavior.
    
    This patch adds a necessary check after the second copy, to make sure
    'btf->hdr->hdr_len' has the same value as 'hdr_len'. Otherwise, an error
    code EINVAL will be returned.
    Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
    Acked-by: default avatarSong Liu <songliubraving@fb.com>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    8af03d1a
btf.c 57.9 KB