| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Sep 2020 16:21:17 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>,
Andrii Nakryiko <andrii.nakryiko@...il.com>
Cc: Yonghong Song <yhs@...com>, bpf <bpf@...r.kernel.org>,
Networking <netdev@...r.kernel.org>,
Alexei Starovoitov <ast@...nel.org>,
Kernel Team <kernel-team@...com>
Subject: Re: [PATCH bpf-next 1/2] bpf: permit map_ptr arithmetic with opcode
add and offset 0
On 9/5/20 2:10 AM, Alexei Starovoitov wrote:
> On Fri, Sep 4, 2020 at 5:08 PM Andrii Nakryiko
> <andrii.nakryiko@...il.com> wrote:
>> On Fri, Sep 4, 2020 at 4:20 PM Yonghong Song <yhs@...com> wrote:
[...]
>>> for scalar constant, reg->var_off.mask should be 0. so we will have
>>> reg->smin_value = reg->smax_value = (s64)reg->var_off.value.
>>>
>>> The smin_val is also used below, e.g., BPF_ADD, for a known value.
>>> That is why I am using smin_val here.
>>>
>>> Will add a comment and submit v2.
>>
>> it would be way-way more obvious (and reliable in the long run,
>> probably) if you just used (known && reg->var_off.value == 0). or just
>> tnum_equals_const(reg->var_off, 0)?
>
> Pls dont. smin_val == 0 is a standard way to do this.
> Just check all other places in this function and everywhere else.
Also, we taint the reg earlier in that function if its known and min != max:
if ((known && (smin_val != smax_val || umin_val != umax_val)) ||
smin_val > smax_val || umin_val > umax_val) {
/* Taint dst register if offset had invalid bounds derived from
* e.g. dead branches.
*/
__mark_reg_unknown(env, dst_reg);
return 0;
}
Powered by blists - more mailing lists