| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20150729.170453.375462793871538401.davem@davemloft.net>
Date: Wed, 29 Jul 2015 17:04:53 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: daniel@...earbox.net
Cc: ast@...mgrid.com, netdev@...r.kernel.org
Subject: Re: [PATCH net] ebpf, x86: fix general protection fault when tail
call is invoked
From: Daniel Borkmann <daniel@...earbox.net>
Date: Tue, 28 Jul 2015 15:26:36 +0200
> With eBPF JIT compiler enabled on x86_64, I was able to reliably trigger
> the following general protection fault out of an eBPF program with a simple
> tail call, f.e. tracex5 (or a stripped down version of it):
...
> Changing the emitter to always use the 4 byte displacement in the lea
> instruction fixes the panic on my side. It increases the tail call instruction
> emission by 3 more byte, but it should cover us from various combinations
> (and perhaps other future increases on related structures).
>
> After patch, disassembly:
>
> [...]
> 9e: lea 0x80(%rsi,%rdx,8),%rax <--- CONFIG_LOCKDEP/CONFIG_LOCK_STAT
> 48 8d 84 d6 80 00 00 00
> a6: mov (%rax),%rax
> 48 8b 00
> [...]
>
> [...]
> 9e: lea 0x50(%rsi,%rdx,8),%rax <--- No CONFIG_LOCKDEP
> 48 8d 84 d6 50 00 00 00
> a6: mov (%rax),%rax
> 48 8b 00
> [...]
>
> Fixes: b52f00e6a715 ("x86: bpf_jit: implement bpf_tail_call() helper")
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists