Re: [PATCH bpf-next 07/10] lib/buildid: harden build ID parsing logic some more

[Andrii Nakryiko <andrii.nakryiko@gmail.com>]

On Wed, Jul 10, 2024 at 1:45 PM Andi Kleen <ak@linux.intel.com> wrote:
>
> On Tue, Jul 09, 2024 at 01:42:42PM -0700, Andrii Nakryiko wrote:
> > Harden build ID parsing logic some more, adding explicit READ_ONCE()
> > when fetching values that we then use to check correctness and various
> > note iteration invariants.
>
> Just sprinkling READ_ONCE all over doesn't necessarily fix the code.
> It is only needed for values that affect a loop or reference.

Agreed, besides `READ_ONCE(nhdr->n_type) == BUILD_ID` and
`READ_ONCE(phdr->p_type) == PT_NOTE`, which I added mostly just for
consistency, the rest should be indeed read once and then checked, no?
Do you see any other unnecessary READ_ONCE()s in this patch?

>
> You have to fix stuff like this
>
> static inline int parse_build_id(const void *page_addr,
>                                  unsigned char *build_id,
>                                  __u32 *size,
>                                  const void *note_start,
>                                  Elf32_Word note_size)
> {
>         /* check for overflow */
>         if (note_start < page_addr || note_start + note_size < note_start)
>             ^^^^^^^^^^^^^^^^^^^^^^

this has been switched to u64-based offsets in patch #1, did you take
a look at it?

>                 return -EINVAL;
>
>
> which is C undefined (at least without -fwrapv-pointer) and can easily
> be miscompiled if it isn't already.
>
> I suspect the code will need more work, especially since you're
> unwilling to consider any defense in depth measures.
>

Can you be a bit more specific about the remaining issues? I'm happy
to fix whatever can and should be fixed (after the changes I already
did in this patch set).

If by "defense in depth" you mean allowing this functionality only for
executable VMAs, then yes, I refuse to do that, as I already
explained.

> -Andi
>