lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Sep 2020 16:21:17 +0200 From: Daniel Borkmann <daniel@...earbox.net> To: Alexei Starovoitov <alexei.starovoitov@...il.com>, Andrii Nakryiko <andrii.nakryiko@...il.com> Cc: Yonghong Song <yhs@...com>, bpf <bpf@...r.kernel.org>, Networking <netdev@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>, Kernel Team <kernel-team@...com> Subject: Re: [PATCH bpf-next 1/2] bpf: permit map_ptr arithmetic with opcode add and offset 0 On 9/5/20 2:10 AM, Alexei Starovoitov wrote: > On Fri, Sep 4, 2020 at 5:08 PM Andrii Nakryiko > <andrii.nakryiko@...il.com> wrote: >> On Fri, Sep 4, 2020 at 4:20 PM Yonghong Song <yhs@...com> wrote: [...] >>> for scalar constant, reg->var_off.mask should be 0. so we will have >>> reg->smin_value = reg->smax_value = (s64)reg->var_off.value. >>> >>> The smin_val is also used below, e.g., BPF_ADD, for a known value. >>> That is why I am using smin_val here. >>> >>> Will add a comment and submit v2. >> >> it would be way-way more obvious (and reliable in the long run, >> probably) if you just used (known && reg->var_off.value == 0). or just >> tnum_equals_const(reg->var_off, 0)? > > Pls dont. smin_val == 0 is a standard way to do this. > Just check all other places in this function and everywhere else. Also, we taint the reg earlier in that function if its known and min != max: if ((known && (smin_val != smax_val || umin_val != umax_val)) || smin_val > smax_val || umin_val > umax_val) { /* Taint dst register if offset had invalid bounds derived from * e.g. dead branches. */ __mark_reg_unknown(env, dst_reg); return 0; }
Powered by blists - more mailing lists