lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Aug 2019 10:05:53 +0100 From: Jiong Wang <jiong.wang@...ronome.com> To: "Naveen N. Rao" <naveen.n.rao@...ux.vnet.ibm.com> Cc: Alexei Starovoitov <alexei.starovoitov@...il.com>, Daniel Borkmann <daniel@...earbox.net>, Jiong Wang <jiong.wang@...ronome.com>, bpf@...r.kernel.org, linux-kernel@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org, Michael Ellerman <mpe@...erman.id.au>, netdev@...r.kernel.org Subject: Re: [RFC PATCH] bpf: handle 32-bit zext during constant blinding Naveen N. Rao writes: > Naveen N. Rao wrote: >> Since BPF constant blinding is performed after the verifier pass, there >> are certain ALU32 instructions inserted which don't have a corresponding >> zext instruction inserted after. This is causing a kernel oops on >> powerpc and can be reproduced by running 'test_cgroup_storage' with >> bpf_jit_harden=2. >> >> Fix this by emitting BPF_ZEXT during constant blinding if >> prog->aux->verifier_zext is set. >> >> Fixes: a4b1d3c1ddf6cb ("bpf: verifier: insert zero extension according to analysis result") >> Reported-by: Michael Ellerman <mpe@...erman.id.au> >> Signed-off-by: Naveen N. Rao <naveen.n.rao@...ux.vnet.ibm.com> >> --- >> This approach (the location where zext is being introduced below, in >> particular) works for powerpc, but I am not entirely sure if this is >> sufficient for other architectures as well. This is broken on v5.3-rc4. > > Alexie, Daniel, Jiong, > Any feedback on this? The fix on BPF_LD | BPF_IMM | BPF_DW looks correct to me, but the two other places looks to me is unnecessary, as those destinations are exposed to external and if they are used as 64-bit then there will be zext inserted for them. Have you verified removing those two fixes will still cause the bug? Regards, Jiong > > - Naveen
Powered by blists - more mailing lists