| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Jan 2016 09:55:58 -0800 From: Alexei Starovoitov <alexei.starovoitov@...il.com> To: Rabin Vincent <rabin@....in> Cc: davem@...emloft.net, netdev@...r.kernel.org, zlim.lnx@...il.com, yang.shi@...aro.org, will.deacon@....com, catalin.marinas@....com, linux-arm-kernel@...ts.infradead.org Subject: Re: [PATCH] arm64: net: bpf: don't BUG() on large shifts On Tue, Jan 05, 2016 at 06:39:03PM +0100, Rabin Vincent wrote: > Attempting to generate UBFM/SBFM instructions with shifts that can't be > encoded in the immediate fields of the opcodes leads to a trigger of a > BUG() in the instruction generation code. As the ARMv8 ARM says: "The > shift amounts must be in the range 0 to one less than the register width > of the instruction, inclusive." Make the JIT reject unencodable shifts > instead of crashing. > > ------------[ cut here ]------------ > kernel BUG at arch/arm64/kernel/insn.c:766! > Internal error: Oops - BUG: 0 [#1] PREEMPT SMP > CPU: 0 PID: 669 Comm: insmod Not tainted 4.4.0-rc8+ #4 > PC is at aarch64_insn_gen_bitfield+0xcc/0xd4 > LR is at build_body+0x1000/0x2914 > .. > Call trace: > [<ffffffc00008c65c>] aarch64_insn_gen_bitfield+0xcc/0xd4 > [<ffffffc000096bfc>] build_body+0x1000/0x2914 > [<ffffffc000098590>] bpf_int_jit_compile+0x7c/0x1b4 > [<ffffffc000130d10>] bpf_prog_select_runtime+0x20/0xcc > [<ffffffc0004afbac>] bpf_prepare_filter+0x3d8/0x3e8 > [<ffffffc0004afc30>] bpf_prog_create+0x74/0xa4 > [<ffffffbffc3de1d4>] test_bpf_init+0x1d4/0x748 [test_bpf] > [<ffffffc00008293c>] do_one_initcall+0x90/0x1a8 > [<ffffffc000140c4c>] do_init_module+0x60/0x1c8 > [<ffffffc00011bdcc>] load_module+0x1554/0x1c98 > [<ffffffc00011c62c>] SyS_init_module+0x11c/0x140 > [<ffffffc000085cb0>] el0_svc_naked+0x24/0x28 > > Signed-off-by: Rabin Vincent <rabin@....in> > --- > arch/arm64/net/bpf_jit_comp.c | 7 +++++++ > 1 file changed, 7 insertions(+) this one is better to be addressed in verifier instead of eBPF JITs. Please reject it in check_alu_op() instead. Though this bug is arm64 only and doesn't affect x64, it's better to reject such invalid programs, since shifts with large constants can be only be created manually. llvm doesn't generate such things. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists