| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 03 Feb 2017 00:46:37 +0100
From: Daniel Borkmann <daniel@...earbox.net>
To: William Tu <u9012063@...il.com>
CC: netdev@...r.kernel.org, alexei.starovoitov@...il.com
Subject: Re: [PATCH net-next] bpf: fix verifier issue at check_packet_ptr_add
On 02/02/2017 08:59 PM, William Tu wrote:
> When adding a zero value to the packet pointer, the verifer
> reports the following error:
>
> R0=imm0,min_value=0,max_value=0 R1=pkt(id=0,off=0,r=4) R2=pkt_end R3=fp-12 R4=imm4,min_value=4,max_value=4 R5=pkt(id=0,off=4,r=4) R6=ctx R7=imm0,min_value=0,max_value=0 R8=inv,min_value=0,max_value=0 R9=inv R10=fp
> 269: (bf) r2 = r0
> 270: (77) r2 >>= 3
> 271: (bf) r4 = r1
> 272: (0f) r4 += r2
> addition of negative constant to packet pointer is not allowed
How do we get here? I mean compiler is not optimizing this away
as the reg is populated differently from various branches? Could
you elaborate more on that resp. how we end up with this? Thanks!
> Signed-off-by: William Tu <u9012063@...il.com>
> Cc: Daniel Borkmann <daniel@...earbox.net>
> ---
> kernel/bpf/verifier.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index fb3513b..1a754e5 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -1397,7 +1397,7 @@ static int check_packet_ptr_add(struct bpf_verifier_env *env,
> imm = insn->imm;
>
> add_imm:
> - if (imm <= 0) {
> + if (imm < 0) {
> verbose("addition of negative constant to packet pointer is not allowed\n");
> return -EACCES;
> }
>
Powered by blists - more mailing lists