lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <6319f997-bc83-5515-4b3b-a87f57c65db3@iogearbox.net> Date: Sat, 2 Mar 2019 00:07:00 +0100 From: Daniel Borkmann <daniel@...earbox.net> To: Paul Burton <paul.burton@...s.com>, "linux-mips@...r.kernel.org" <linux-mips@...r.kernel.org>, "bpf@...r.kernel.org" <bpf@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org> Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Paul Burton <pburton@...ecomp.com>, Alexei Starovoitov <ast@...nel.org>, Martin KaFai Lau <kafai@...com>, Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>, "stable@...r.kernel.org" <stable@...r.kernel.org> Subject: Re: [PATCH] MIPS: eBPF: Fix icache flush end address On 03/01/2019 11:58 PM, Paul Burton wrote: > The MIPS eBPF JIT calls flush_icache_range() in order to ensure the > icache observes the code that we just wrote. Unfortunately it gets the > end address calculation wrong due to some bad pointer arithmetic. > > The struct jit_ctx target field is of type pointer to u32, and as such > adding one to it will increment the address being pointed to by 4 bytes. > Therefore in order to find the address of the end of the code we simply > need to add the number of 4 byte instructions emitted, but we mistakenly > add the number of instructions multiplied by 4. This results in the call > to flush_icache_range() operating on a memory region 4x larger than > intended, which is always wasteful and can cause crashes if we overrun > into an unmapped page. > > Fix this by correcting the pointer arithmetic to remove the bogus > multiplication, and use braces to remove the need for a set of brackets > whilst also making it obvious that the target field is a pointer. > > Signed-off-by: Paul Burton <paul.burton@...s.com> > Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.") > Cc: Alexei Starovoitov <ast@...nel.org> > Cc: Daniel Borkmann <daniel@...earbox.net> > Cc: Martin KaFai Lau <kafai@...com> > Cc: Song Liu <songliubraving@...com> > Cc: Yonghong Song <yhs@...com> > Cc: netdev@...r.kernel.org > Cc: bpf@...r.kernel.org > Cc: linux-mips@...r.kernel.org > Cc: stable@...r.kernel.org # v4.13+ Good catch, applied to bpf, thanks!
Powered by blists - more mailing lists