| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9a8076d1-a88b-b0e8-3c47-969a022feb60@solarflare.com>
Date: Tue, 22 Aug 2017 19:03:04 +0100
From: Edward Cree <ecree@...arflare.com>
To: Alexei Starovoitov <ast@...com>, <davem@...emloft.net>,
Alexei Starovoitov <alexei.starovoitov@...il.com>,
Daniel Borkmann <daniel@...earbox.net>
CC: <netdev@...r.kernel.org>,
iovisor-dev <iovisor-dev@...ts.iovisor.org>
Subject: Re: [PATCH net-next 3/4] bpf/verifier: when pruning a branch, ignore
its write marks
On 22/08/17 16:50, Edward Cree wrote:
> On 22/08/17 16:24, Alexei Starovoitov wrote:
>> Do you have a test case for this by any chance?
> I think something like
> if (cond)
> r0=0;
> if (cond)
> r0=0;
> return r0;
> might tickle the bug, but I'm not sure.
It turns out that (cond) has to be constructed not to alter our knowledge
of whatever register we're testing, but apart from that, this works.
{
"liveness pruning and write screening",
.insns = {
/* Get an unknown value */
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
/* branch conditions teach us nothing about R2 */
BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
.errstr = "R0 !read_ok",
.result = REJECT,
.prog_type = BPF_PROG_TYPE_LWT_IN,
},
This test fails on net-next, but passes with my patch.
I'll include it in the next spin of the series.
Powered by blists - more mailing lists