| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <158507155667.15666.4189866174878249746.stgit@john-Precision-5820-Tower>
Date: Tue, 24 Mar 2020 10:39:16 -0700
From: John Fastabend <john.fastabend@...il.com>
To: ecree@...arflare.com, yhs@...com, alexei.starovoitov@...il.com,
daniel@...earbox.net
Cc: netdev@...r.kernel.org, bpf@...r.kernel.org,
john.fastabend@...il.com
Subject: [bpf-next PATCH 05/10] bpf: verifier,
return value is an int in do_refine_retval_range
Mark 32-bit subreg region with max value because do_refine_retval_range()
catches functions with int return type (We will assume here that int is
a 32-bit type). Marking 64-bit region could be dangerous if upper bits
are not zero which could be possible.
Two reasons to pull this out of original patch. First it makes the original
fix impossible to backport. And second I've not seen this as being problematic
in practice unlike the other case.
Fixes: 849fa50662fbc ("bpf/verifier: refine retval R0 state for bpf_get_stack helper")
Signed-off-by: John Fastabend <john.fastabend@...il.com>
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 6372fa4..3731109 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4328,7 +4328,7 @@ static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type,
func_id != BPF_FUNC_probe_read_str))
return;
- ret_reg->smax_value = meta->msize_max_value;
+ ret_reg->s32_max_value = meta->msize_max_value;
__reg_deduce_bounds(ret_reg);
__reg_bound_offset(ret_reg);
__update_reg_bounds(ret_reg);
Powered by blists - more mailing lists