| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210809093437.876558-2-johan.almbladh@anyfinetworks.com>
Date: Mon, 9 Aug 2021 11:34:31 +0200
From: Johan Almbladh <johan.almbladh@...finetworks.com>
To: ast@...nel.org, daniel@...earbox.net, andrii@...nel.org
Cc: kafai@...com, songliubraving@...com, yhs@...com,
john.fastabend@...il.com, kpsingh@...nel.org,
netdev@...r.kernel.org, bpf@...r.kernel.org,
illusionist.neo@...il.com, zlim.lnx@...il.com,
paulburton@...nel.org, naveen.n.rao@...ux.ibm.com,
sandipan@...ux.ibm.com, luke.r.nels@...il.com, bjorn@...nel.org,
iii@...ux.ibm.com, hca@...ux.ibm.com, gor@...ux.ibm.com,
davem@...emloft.net, udknight@...il.com,
Johan Almbladh <johan.almbladh@...finetworks.com>
Subject: [PATCH bpf-next 1/7] arm: bpf: Fix off-by-one in tail call count limiting
Before, the eBPF JIT allowed up to MAX_TAIL_CALL_CNT + 1 tail calls.
Now, precisely MAX_TAIL_CALL_CNT is allowed, which is in line with the
behaviour of the interpreter. Verified with the test_bpf test suite
on qemu-system-arm.
Signed-off-by: Johan Almbladh <johan.almbladh@...finetworks.com>
---
arch/arm/net/bpf_jit_32.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index a951276f0547..200ae9d24205 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -1180,12 +1180,12 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
/* tmp2[0] = array, tmp2[1] = index */
- /* if (tail_call_cnt > MAX_TAIL_CALL_CNT)
+ /* if (tail_call_cnt >= MAX_TAIL_CALL_CNT)
* goto out;
* tail_call_cnt++;
*/
- lo = (u32)MAX_TAIL_CALL_CNT;
- hi = (u32)((u64)MAX_TAIL_CALL_CNT >> 32);
+ lo = (u32)(MAX_TAIL_CALL_CNT - 1);
+ hi = (u32)((u64)(MAX_TAIL_CALL_CNT - 1) >> 32);
tc = arm_bpf_get_reg64(tcc, tmp, ctx);
emit(ARM_CMP_I(tc[0], hi), ctx);
_emit(ARM_COND_EQ, ARM_CMP_I(tc[1], lo), ctx);
--
2.25.1
Powered by blists - more mailing lists