| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 Dec 2018 15:32:50 +0000
From: Jiong Wang <jiong.wang@...ronome.com>
To: Edward Cree <ecree@...arflare.com>, ast@...nel.org,
daniel@...earbox.net
Cc: netdev@...r.kernel.org, oss-drivers@...ronome.com
Subject: Re: [PATCH bpf-next] bpf: relax verifier restriction on BPF_MOV |
BPF_ALU
On 05/12/2018 14:52, Edward Cree wrote:
> On 05/12/18 09:46, Jiong Wang wrote:
>> There is NO processed instruction number regression, either with or without
>> -mattr=+alu32.
> <snip>
>> Cilium bpf
>> ===
>> bpf_lb-DLB_L3.o 2110/2110 1730/1733
> That looks like a regression of 3 insns in the 32-bit case.
> May be worth investigating why.
Will look into this.
>
>> + dst_reg = insn->dst_reg;
>> + regs[dst_reg] = regs[src_reg];
>> + if (BPF_CLASS(insn->code) == BPF_ALU) {
>> + /* Update type and range info. */
>> + regs[dst_reg].type = SCALAR_VALUE;
>> + coerce_reg_to_size(®s[dst_reg], 4);
> Won't this break when handed a pointer (as root, so allowed to leak
> it)? E.g. (pointer + x) gets turned into scalar x, rather than
> unknown scalar in range [0, 0xffffffff].
Initially I was gating this to scalar_value only, later was thinking it
could be extended to ptr case if ptr leak is allowed.
But, your comment remind me min/max value doesn't mean real min/max value
for ptr types value, it means the offset only if I am understanding the
issue correctly. So, it will break pointer case.
Regards,
Jiong
> The existing behaviour is correct for pointers: 32 unknown bits,
> because the value of the pointer base is unknown.
> It's only for scalar_values that you want to copy and truncate the
> var_off and min/max from the src_reg.
>
> -Ed
Powered by blists - more mailing lists