lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Aug 2020 11:29:39 -0700 From: Nick Desaulniers <ndesaulniers@...gle.com> To: David Miller <davem@...emloft.net> Cc: Sami Tolvanen <samitolvanen@...gle.com>, Jakub Kicinski <kuba@...nel.org>, stable@...r.kernel.org, Masahiro Yamada <masahiroy@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Alex Elder <elder@...aro.org>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Martin KaFai Lau <kafai@...com>, Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>, Andrii Nakryiko <andriin@...com>, John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...omium.org>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, bpf@...r.kernel.org Subject: [PATCH net resend] bitfield.h: don't compile-time validate _val in FIELD_FIT From: Jakub Kicinski <kuba@...nel.org> When ur_load_imm_any() is inlined into jeq_imm(), it's possible for the compiler to deduce a case where _val can only have the value of -1 at compile time. Specifically, /* struct bpf_insn: _s32 imm */ u64 imm = insn->imm; /* sign extend */ if (imm >> 32) { /* non-zero only if insn->imm is negative */ /* inlined from ur_load_imm_any */ u32 __imm = imm >> 32; /* therefore, always 0xffffffff */ if (__builtin_constant_p(__imm) && __imm > 255) compiletime_assert_XXX() This can result in tripping a BUILD_BUG_ON() in __BF_FIELD_CHECK() that checks that a given value is representable in one byte (interpreted as unsigned). FIELD_FIT() should return true or false at runtime for whether a value can fit for not. Don't break the build over a value that's too large for the mask. We'd prefer to keep the inlining and compiler optimizations though we know this case will always return false. Cc: stable@...r.kernel.org Link: https://lore.kernel.org/kernel-hardening/CAK7LNASvb0UDJ0U5wkYYRzTAdnEs64HjXpEUL7d=V0CXiAXcNw@mail.gmail.com/ Reported-by: Masahiro Yamada <masahiroy@...nel.org> Debugged-by: Sami Tolvanen <samitolvanen@...gle.com> Signed-off-by: Jakub Kicinski <kuba@...nel.org> Signed-off-by: Nick Desaulniers <ndesaulniers@...gle.com> Acked-by: Alex Elder <elder@...aro.org> --- Note: resent patch 1/2 as per Jakub on https://lore.kernel.org/netdev/20200708230402.1644819-1-ndesaulniers@google.com/ include/linux/bitfield.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h index 48ea093ff04c..4e035aca6f7e 100644 --- a/include/linux/bitfield.h +++ b/include/linux/bitfield.h @@ -77,7 +77,7 @@ */ #define FIELD_FIT(_mask, _val) \ ({ \ - __BF_FIELD_CHECK(_mask, 0ULL, _val, "FIELD_FIT: "); \ + __BF_FIELD_CHECK(_mask, 0ULL, 0ULL, "FIELD_FIT: "); \ !((((typeof(_mask))_val) << __bf_shf(_mask)) & ~(_mask)); \ }) -- 2.27.0.383.g050319c2ae-goog
Powered by blists - more mailing lists