| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <19182062-db30-a886-e8f7-dd6101ac53a5@iogearbox.net>
Date: Tue, 8 Jan 2019 13:54:02 +0100
From: Daniel Borkmann <daniel@...earbox.net>
To: ZhangXiaoxu <zhangxiaoxu5@...wei.com>, ast@...nel.org,
netdev@...r.kernel.org
Subject: Re: [PATCH] bpf: fix shift overflow in ___bpf_prog_run
On 01/08/2019 07:16 AM, ZhangXiaoxu wrote:
> From: Zhang Xiaoxu <zhangxiaoxu5@...wei.com>
>
> There is a UBSAN bug as blew:
> UBSAN: Undefined behaviour in kernel/bpf/core.c:1055:2
> shift exponent 511 is too large for 32-bit type 'unsigned int'
>
> Reproduce program:
> #include <errno.h>
> #include <stddef.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <linux/audit.h>
> #include <linux/filter.h>
> #include <linux/seccomp.h>
> #include <sys/prctl.h>
> #include <sys/syscall.h>
>
> int main() {
> struct sock_filter sock_filter[3] = {
> BPF_JUMP(BPF_LDX|BPF_IMM, 0x1ff, 0x2, 0xfffffffffffffffd),
> BPF_JUMP(BPF_ALU|BPF_LSH|BPF_X, 0x0, 0x506, 0x401),
> BPF_JUMP(BPF_RET|BPF_K, 0x0, 0x0, SECCOMP_RET_KILL)
> };
>
> struct sock_fprog sock_fprog= {
> .len = 3,
> .filter = &sock_filter,
> };
>
> int ret = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &sock_fprog);
> printf("%d\n", ret);
>
> return 0;
> }
>
> Make sure the right operand not greater than or equal to the
> width of the promoted left operand when do shift operation.
>
> Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@...wei.com>
See discussion in: https://lkml.org/lkml/2015/12/4/148
Thanks,
Daniel
Powered by blists - more mailing lists