bpf_prog_create_from_user at net/core/filter.c:1396
Double Fetch
copy_form_user(fprog, user_filter)
user_filter=0x55a51610b090
fprog=0xffff8800692afe48
gef➤ p *fprog
$45 = {
len = 0x7,
filter = 0x55a51610b930 //用户态地址
}
gef➤ p *fprog->filter
$49 = {
code = 0x20,
jt = 0x0,
jf = 0x0,
k = 0x4
}
fsize = (fprog->len * sizeof(fprog->filter[0])) //0x38
if (copy_from_user(fp->insns, fprog->filter, fsize)) //二次copy, fprog->filter可通过用户态控制
因为调用的copy_from_user无法在第二个参数上做手脚导致内核Oops
有个同类型的函数
bpf_prog_create中调用的memcpy(fp->insns, fprog->filter, fsize);但是已经出现上报的案例:KASAN: slab-out-of-bounds Read in bpf_prog_create