| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH3MdRVNKCM-WLvm_1REOnqwNJ+iPnTiu-f=n7hZifzXPtsZZg@mail.gmail.com>
Date: Thu, 14 Sep 2017 14:22:55 -0700
From: Y Song <ys114321@...il.com>
To: David Miller <davem@...emloft.net>
Cc: Edward Cree <ecree@...arflare.com>,
Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...com>,
netdev <netdev@...r.kernel.org>
Subject: Re: Bug with BPF_ALU64 | BPF_END?
On Thu, Sep 14, 2017 at 11:14 AM, David Miller <davem@...emloft.net> wrote:
> From: Edward Cree <ecree@...arflare.com>
> Date: Thu, 14 Sep 2017 18:53:17 +0100
>
>> Is BPF_END supposed to only be used with BPF_ALU, never with BPF_ALU64?
Yes, only BPF_ALU. The below is LLVM bpf swap insn encoding:
...
// bswap16, bswap32, bswap64
class BSWAP ...
...
let op = 0xd; // BPF_END
let BPFSrc = 1; // BPF_TO_BE (TODO: use BPF_TO_LE for big-endian target)
let BPFClass = 4; // BPF_ALU
...
>> In kernel/bpf/core.c:___bpf_prog_run(), there are only jump table targets
>> for the BPF_ALU case, not for the BPF_ALU64 case (opcodes 0xd7 and 0xdf).
>> But the verifier doesn't enforce this; by crafting a program that uses
>> these opcodes I can get a WARN when they're run (without JIT; it looks
>> like the x86 JIT, at least, won't like it either).
>> Proposed patch below the cut; build-tested only.
>
> Good catch.
>
> A really neat test would be a program that uploads random BPF programs
> into the kernel, in a syzkaller'ish way. It might have triggered this
> (eventually).
>
Powered by blists - more mailing lists