| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 May 2017 19:39:33 -0700 From: Alexei Starovoitov <ast@...com> To: David Miller <davem@...emloft.net> CC: <daniel@...earbox.net>, <netdev@...r.kernel.org> Subject: Re: LLVM 4.0 code generation bug On 5/1/17 7:31 PM, David Miller wrote: > > If the last BPF instruction before exit is a ldimm64, branches to the > exit point at the wrong location. > > Here is what I get from test_pkt_access.c on sparc: > > 0000000000000000 <process>: > 0: b7 00 00 00 00 00 00 02 mov r0, 2 > 8: 61 21 00 50 00 00 00 00 ldw r2, [r1+80] > 10: 61 11 00 4c 00 00 00 00 ldw r1, [r1+76] > 18: bf 41 00 00 00 00 00 00 mov r4, r1 > 20: 07 40 00 00 00 00 00 0e add r4, 14 > 28: 2d 42 00 25 00 00 00 00 jgt r4, r2, 148 <LBB0_11> > ... > 0000000000000148 <LBB0_11>: > 148: 18 00 00 00 ff ff ff ff ldimm64 r0, 4294967295 > 150: 00 00 00 00 00 00 00 00 > > 0000000000000158 <LBB0_12>: > 158: 95 00 00 00 00 00 00 00 exit > > The offset field in the "jgt" instruction is 0x25 which multiplied by > 8 is 0x128, add 0x128 to the instruction location which is 0x28, and > we get 0x150, which is the second 64-bit chunk of the ldimm64 > instruction. looks fine to me. it jumps to 0x158, since offset 0 is the next insn after jump which is 0x30 That's how classic bpf defined jumps.
Powered by blists - more mailing lists