lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 8 Jan 2022 10:53:49 -0800
From:   Yonghong Song <yhs@...com>
To:     "Yichun Zhang (agentzh)" <yichun@...nresty.com>
CC:     Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>,
        Martin KaFai Lau <kafai@...com>,
        Song Liu <songliubraving@...com>,
        John Fastabend <john.fastabend@...il.com>,
        KP Singh <kpsingh@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        <netdev@...r.kernel.org>, <bpf@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <llvm@...ts.linux.dev>
Subject: Re: [PATCH] bpf: btf: Fix a var size check in validator



On 1/7/22 6:22 PM, Yichun Zhang (agentzh) wrote:
> The btf validator should croak when the variable size is larger than
> its type size, not less. The LLVM optimizer may use smaller sizes for
> the C type.
> 
> We ran into this issue with real-world BPF programs emitted by the
> latest version of Clang/LLVM.

Could you give an example to show we have variable size is less than 
type_size?

> 
> Fixes: 1dc92851849cc ("bpf: kernel side support for BTF Var and DataSec")
> Signed-off-by: Yichun Zhang (agentzh) <yichun@...nresty.com>
> ---
>   kernel/bpf/btf.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 9bdb03767db5..2a6967b13ce1 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -3696,7 +3696,7 @@ static int btf_datasec_resolve(struct btf_verifier_env *env,
>   			return -EINVAL;
>   		}
>   
> -		if (vsi->size < type_size) {
> +		if (vsi->size > type_size) {
>   			btf_verifier_log_vsi(env, v->t, vsi, "Invalid size");
>   			return -EINVAL;
>   		}

The fix is incorrect. We do have cases where variable size greater than 
type_size. For example,

$ cat t.c
struct t {
   int  g;
   char a[];
} v = {1, {'a', 'b', 'c', 0}};

The type (struct t) size is 4, but the variable size is 8.

Powered by blists - more mailing lists