| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Apr 2020 23:08:40 -0700
From: hpa@...or.com
To: Luke Nelson <lukenels@...washington.edu>, bpf@...r.kernel.org
CC: Brian Gerst <brgerst@...il.com>,
Luke Nelson <luke.r.nels@...il.com>,
Xi Wang <xi.wang@...il.com>, Wang YanQing <udknight@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
x86@...nel.org, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
Andrii Nakryiko <andriin@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...omium.org>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH bpf v2 1/2] bpf, x86_32: Fix incorrect encoding in BPF_LDX zero-extension
On April 22, 2020 10:36:29 AM PDT, Luke Nelson <lukenels@...washington.edu> wrote:
>The current JIT uses the following sequence to zero-extend into the
>upper 32 bits of the destination register for BPF_LDX BPF_{B,H,W},
>when the destination register is not on the stack:
>
> EMIT3(0xC7, add_1reg(0xC0, dst_hi), 0);
>
>The problem is that C7 /0 encodes a MOV instruction that requires a
>4-byte
>immediate; the current code emits only 1 byte of the immediate. This
>means that the first 3 bytes of the next instruction will be treated as
>the rest of the immediate, breaking the stream of instructions.
>
>This patch fixes the problem by instead emitting "xor dst_hi,dst_hi"
>to clear the upper 32 bits. This fixes the problem and is more
>efficient
>than using MOV to load a zero immediate.
>
>This bug may not be currently triggerable as BPF_REG_AX is the only
>register not stored on the stack and the verifier uses it in a limited
>way, and the verifier implements a zero-extension optimization. But the
>JIT should avoid emitting incorrect encodings regardless.
>
>Fixes: 03f5781be2c7b ("bpf, x86_32: add eBPF JIT compiler for ia32")
>Signed-off-by: Xi Wang <xi.wang@...il.com>
>Signed-off-by: Luke Nelson <luke.r.nels@...il.com>
>---
>v1 -> v2: Updated commit message to better reflect the bug.
> (H. Peter Anvin and Brian Gerst)
>---
> arch/x86/net/bpf_jit_comp32.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>diff --git a/arch/x86/net/bpf_jit_comp32.c
>b/arch/x86/net/bpf_jit_comp32.c
>index 4d2a7a764602..cc9ad3892ea6 100644
>--- a/arch/x86/net/bpf_jit_comp32.c
>+++ b/arch/x86/net/bpf_jit_comp32.c
>@@ -1854,7 +1854,9 @@ static int do_jit(struct bpf_prog *bpf_prog, int
>*addrs, u8 *image,
> STACK_VAR(dst_hi));
> EMIT(0x0, 4);
> } else {
>- EMIT3(0xC7, add_1reg(0xC0, dst_hi), 0);
>+ /* xor dst_hi,dst_hi */
>+ EMIT2(0x33,
>+ add_2reg(0xC0, dst_hi, dst_hi));
> }
> break;
> case BPF_DW:
Reviewed-by: H. Peter Anvin (Intel) <hpa@...or.com>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Powered by blists - more mailing lists