lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <c40e121c-00ad-aa6e-74c0-6a7857b91f59@iogearbox.net>
Date:   Tue, 31 Jul 2018 23:07:07 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Arthur Fabre <afabre@...udflare.com>,
        Alexei Starovoitov <ast@...nel.org>,
        Y Song <ys114321@...il.com>,
        Edward Cree <ecree@...arflare.com>, netdev@...r.kernel.org
Subject: Re: [PATCH v2] bpf: verifier: MOV64 don't mark dst reg unbounded

On 07/31/2018 07:17 PM, Arthur Fabre wrote:
> When check_alu_op() handles a BPF_MOV64 between two registers,
> it calls check_reg_arg(DST_OP) on the dst register, marking it as unbounded.
> If the src and dst register are the same, this marks the src as
> unbounded, which can lead to unexpected errors for further checks that
> rely on bounds info. For example:
> 
> 	BPF_MOV64_IMM(BPF_REG_2, 0),
> 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
> 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
> 	BPF_MOV64_IMM(BPF_REG_0, 0),
> 	BPF_EXIT_INSN(),
> 
> results in:
> 
> 	"math between ctx pointer and register with unbounded min value is not
>         allowed"
> 
> check_alu_op() now uses check_reg_arg(DST_OP_NO_MARK), and MOVs
> that need to mark the dst register (MOVIMM, MOV32) do so.
> 
> Added a test case for MOV64 dst == src, and dst != src.
> 
> Signed-off-by: Arthur Fabre <afabre@...udflare.com>

Looks good, applied to bpf-next, thanks Arthur!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ