| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 May 2017 21:14:06 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: ast@...com
Cc: daniel@...earbox.net, alexei.starovoitov@...il.com,
netdev@...r.kernel.org
Subject: Re: [PATCH v2 1/7] bpf: Track alignment of register values in the
verifier.
From: Alexei Starovoitov <ast@...com>
Date: Thu, 11 May 2017 15:53:06 -0700
> On 5/11/17 9:05 AM, David Miller wrote:
>> + had_id = (dst_reg->id != 0);
>> +
>> /* dst_reg stays as pkt_ptr type and since some positive
>> * integer value was added to the pointer, increment its 'id'
>> */
>> dst_reg->id = ++env->id_gen;
>>
>> - /* something was added to pkt_ptr, set range and off to zero */
>> + /* something was added to pkt_ptr, set range to zero */
>> + dst_reg->aux_off = dst_reg->off;
>
> what about 2nd addition of a variable to pkt_ptr ?
> aux_off sort-of remembers already accumulated offset in pkt_ptr, but
> above line will hard assign it which doesn't seem right for the 2nd
> addition.
> Ex:
> before first add, reg->off == 14
> after first add, aux_off = 14, off = 0
> then imm4 added, now we have reg->off=4, aux_off=14
> now we do 2nd add of variable and
> reg->aux_off becomes 4
> and if we later do u64 load from the packet it will be rejected
> due to (net_ip_align + 4) whereas it should have been ok
> due to (net_ip_align + 14 + 4).
Indeed, we have to accumulate. I was just thinking about this earlier
today.
Thanks for pointing this out, I'll work on a fix and write some test
cases.
Powered by blists - more mailing lists