lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 8 Jan 2022 10:53:49 -0800 From: Yonghong Song <yhs@...com> To: "Yichun Zhang (agentzh)" <yichun@...nresty.com> CC: Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <kafai@...com>, Song Liu <songliubraving@...com>, John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, <netdev@...r.kernel.org>, <bpf@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <llvm@...ts.linux.dev> Subject: Re: [PATCH] bpf: btf: Fix a var size check in validator On 1/7/22 6:22 PM, Yichun Zhang (agentzh) wrote: > The btf validator should croak when the variable size is larger than > its type size, not less. The LLVM optimizer may use smaller sizes for > the C type. > > We ran into this issue with real-world BPF programs emitted by the > latest version of Clang/LLVM. Could you give an example to show we have variable size is less than type_size? > > Fixes: 1dc92851849cc ("bpf: kernel side support for BTF Var and DataSec") > Signed-off-by: Yichun Zhang (agentzh) <yichun@...nresty.com> > --- > kernel/bpf/btf.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c > index 9bdb03767db5..2a6967b13ce1 100644 > --- a/kernel/bpf/btf.c > +++ b/kernel/bpf/btf.c > @@ -3696,7 +3696,7 @@ static int btf_datasec_resolve(struct btf_verifier_env *env, > return -EINVAL; > } > > - if (vsi->size < type_size) { > + if (vsi->size > type_size) { > btf_verifier_log_vsi(env, v->t, vsi, "Invalid size"); > return -EINVAL; > } The fix is incorrect. We do have cases where variable size greater than type_size. For example, $ cat t.c struct t { int g; char a[]; } v = {1, {'a', 'b', 'c', 0}}; The type (struct t) size is 4, but the variable size is 8.
Powered by blists - more mailing lists