lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <845025d4-11b9-b16d-1dd6-1e0bd66b0e20@canonical.com>
Date:   Thu, 15 Jul 2021 13:02:10 +0100
From:   Colin Ian King <colin.king@...onical.com>
To:     Michael Holzheu <holzheu@...ux.vnet.ibm.com>,
        Martin Schwidefsky <schwidefsky@...ibm.com>
Cc:     Heiko Carstens <hca@...ux.ibm.com>,
        Vasily Gorbik <gor@...ux.ibm.com>,
        Christian Borntraeger <borntraeger@...ibm.com>,
        Ilya Leoshkevich <iii@...ux.ibm.com>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>,
        linux-s390@...r.kernel.org,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        bpf@...r.kernel.org,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Range checking on r1 in function reg_set_seen in
 arch/s390/net/bpf_jit_comp.c

Hi

Static analysis with cppcheck picked up an interesting issue with the
following inline helper function in arch/s390/net/bpf_jit_comp.c :

static inline void reg_set_seen(struct bpf_jit *jit, u32 b1)
{
        u32 r1 = reg2hex[b1];

        if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15)
                jit->seen_reg[r1] = 1;
}

Although I believe r1 is always within range, the range check on r1 is
being performed before the more cache/memory expensive lookup on
jit->seen_reg[r1].  I can't see why the range change is being performed
after the access of jit->seen_reg[r1]. The following seems more correct:

	if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1])
                jit->seen_reg[r1] = 1;

..since the check on r1 are less expensive than !jit->seen_reg[r1] and
also the range check ensures the array access is not out of bounds. I
was just wondering if I'm missing something deeper to why the order is
the way it is.

Colin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ