| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Jul 2021 13:02:10 +0100
From: Colin Ian King <colin.king@...onical.com>
To: Michael Holzheu <holzheu@...ux.vnet.ibm.com>,
Martin Schwidefsky <schwidefsky@...ibm.com>
Cc: Heiko Carstens <hca@...ux.ibm.com>,
Vasily Gorbik <gor@...ux.ibm.com>,
Christian Borntraeger <borntraeger@...ibm.com>,
Ilya Leoshkevich <iii@...ux.ibm.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
linux-s390@...r.kernel.org,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
bpf@...r.kernel.org,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Range checking on r1 in function reg_set_seen in
arch/s390/net/bpf_jit_comp.c
Hi
Static analysis with cppcheck picked up an interesting issue with the
following inline helper function in arch/s390/net/bpf_jit_comp.c :
static inline void reg_set_seen(struct bpf_jit *jit, u32 b1)
{
u32 r1 = reg2hex[b1];
if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15)
jit->seen_reg[r1] = 1;
}
Although I believe r1 is always within range, the range check on r1 is
being performed before the more cache/memory expensive lookup on
jit->seen_reg[r1]. I can't see why the range change is being performed
after the access of jit->seen_reg[r1]. The following seems more correct:
if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1])
jit->seen_reg[r1] = 1;
..since the check on r1 are less expensive than !jit->seen_reg[r1] and
also the range check ensures the array access is not out of bounds. I
was just wondering if I'm missing something deeper to why the order is
the way it is.
Colin
Powered by blists - more mailing lists