ubpf icon indicating copy to clipboard operation
ubpf copied to clipboard

Published 20 hours ago verified publisher icon iovisor

Incorrect boundary check leading to the out-of-bound memory access

Open pcy190 opened this issue 10 months ago • 0 comments

Details

The bounds_check function does not check whether the address + size overflows. When address is large enough, the result of (char*)addr + size would overflow and bypass the check of ((char*)addr + size) <= ((char*)mem + mem_len)), leading to the ouf-of-bound memory access.

https://github.com/iovisor/ubpf/blob/7d6da196ae98caf26fb953a0d709e8289dffd035/vm/ubpf_vm.c#L1176-L1181

Running the PoC code of ldxdw %r6, [%r3-1] can get the invalid memory access:

==135970==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0xffffffffffffffff (pc 0x55bd7a299153 bp 0xffffffffffffffff sp 0x7fff2badf2c0 T135970)
==135970==The signal is caused by a READ memory access.
    #0 0x55bd7a299153 in ubpf_mem_load /ubpf/vm/ubpf_vm.c
    #1 0x55bd7a299153 in ubpf_exec /ubpf/vm/ubpf_vm.c:626:29

Patch suggestion

In the bounds_check function, add the following check:

  if ( ((size_t)addr + size) < (size_t)addr) {
      return false;
  }

pcy190 avatar Apr 25 '24 10:04 pcy190