| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 May 2022 19:37:26 +0800
From: Shung-Hsi Yu <shung-hsi.yu@...e.com>
To: netdev@...r.kernel.org, bpf@...r.kernel.org,
linux-kernel@...r.kernel.org
CC: Shung-Hsi Yu <shung-hsi.yu@...e.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>
Subject: [PATCH bpf-next 2/4] bpf: verifier: explain opcode check in check_ld_imm()
The BPF_SIZE check in the beginning of check_ld_imm() actually guard
against program with JMP instructions that goes to the second
instruction of BPF_LD_IMM64, but may be easily dismissed as an simple
opcode check that's duplicating the effort of bpf_opcode_in_insntable().
Add comment to better reflect the importance of the check.
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@...e.com>
---
kernel/bpf/verifier.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 79a2695ee2e2..133929751f80 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -9921,6 +9921,10 @@ static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn)
struct bpf_map *map;
int err;
+ /* checks that this is not the second part of BPF_LD_IMM64, which is
+ * skipped over during opcode check, but a JMP with invalid offset may
+ * cause check_ld_imm() to be called upon it.
+ */
if (BPF_SIZE(insn->code) != BPF_DW) {
verbose(env, "invalid BPF_LD_IMM insn\n");
return -EINVAL;
--
2.36.1
Powered by blists - more mailing lists