From patchwork Thu Jun 25 12:47:39 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xi Wang X-Patchwork-Id: 6675021 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 6ECA3C05AC for ; Thu, 25 Jun 2015 12:50:13 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 87C86206E8 for ; Thu, 25 Jun 2015 12:50:12 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8AE42206DC for ; Thu, 25 Jun 2015 12:50:11 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1Z86Zq-0007TU-JZ; Thu, 25 Jun 2015 12:48:22 +0000 Received: from mail-pa0-x233.google.com ([2607:f8b0:400e:c03::233]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1Z86Zn-0007F4-09 for linux-arm-kernel@lists.infradead.org; Thu, 25 Jun 2015 12:48:19 +0000 Received: by pactm7 with SMTP id tm7so49366361pac.2 for ; Thu, 25 Jun 2015 05:47:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=AH8YNIrJsx9G5F4rZQg1cxPW7Kst0WLH1gGt/1ftKDU=; b=GX2fNQ6fyLK3QYPd8Gst0VEj6en7U02sxGldDvgr8zwMH3XW52KMr0zfnPJRQ+TgFE /FuvrRmhBXX1VTNFSEkuOqIFv3GB8Kae9cdoRD8tojUGOIMo9lO7rROsf1IRwrAIKgkr XgnGgIiiYJwJA/eocthi8x/xE5K9hgi+ErnpWjDfDxk/X5gmVj3Cb5rI2TOLluHvRj7Z LYl8NAtIEb3x0idUeAwiV+CKv2IZhyF5CEjUfTVA2a9ifqlJKpjyTk8JpWPsygq+9jAj Qo2JP4pS946i3sv2qC+nObZwLbHYJrehAAexPOUoRkpz98l9Vna7q0/kaYbknSIxB026 yf7g== X-Received: by 10.68.68.235 with SMTP id z11mr91527294pbt.93.1435236475089; Thu, 25 Jun 2015 05:47:55 -0700 (PDT) Received: from sysv.cs.washington.edu (normandy.cs.washington.edu. [128.208.2.74]) by mx.google.com with ESMTPSA id ho2sm30002658pbb.14.2015.06.25.05.47.53 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 25 Jun 2015 05:47:53 -0700 (PDT) From: Xi Wang To: linux-arm-kernel@lists.infradead.org Subject: [PATCH] arm64: bpf: fix out-of-bounds read in bpf2a64_offset() Date: Thu, 25 Jun 2015 05:47:39 -0700 Message-Id: <1435236459-15141-1-git-send-email-xi.wang@gmail.com> X-Mailer: git-send-email 2.1.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20150625_054819_101438_900BA5E0 X-CRM114-Status: GOOD ( 14.22 ) X-Spam-Score: -2.7 (--) Cc: Zi Shen Lim , Will Deacon , linux-kernel@vger.kernel.org, Xi Wang , Alexei Starovoitov X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Problems occur when bpf_to or bpf_from has value prog->len - 1 (e.g., "Very long jump backwards" in test_bpf where the last instruction is a jump): since ctx->offset has length prog->len, ctx->offset[bpf_to + 1] or ctx->offset[bpf_from + 1] will cause an out-of-bounds read, leading to a bogus jump offset and kernel panic. This patch moves updating ctx->offset to after calling build_insn(), and changes indexing to use bpf_to and bpf_from without + 1. Cc: Zi Shen Lim Cc: Alexei Starovoitov Cc: Will Deacon Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler") Signed-off-by: Xi Wang Acked-by: Alexei Starovoitov --- arch/arm64/net/bpf_jit_comp.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c index dc6a484..c81ddd4 100644 --- a/arch/arm64/net/bpf_jit_comp.c +++ b/arch/arm64/net/bpf_jit_comp.c @@ -113,9 +113,9 @@ static inline void emit_a64_mov_i(const int is64, const int reg, static inline int bpf2a64_offset(int bpf_to, int bpf_from, const struct jit_ctx *ctx) { - int to = ctx->offset[bpf_to + 1]; + int to = ctx->offset[bpf_to]; /* -1 to account for the Branch instruction */ - int from = ctx->offset[bpf_from + 1] - 1; + int from = ctx->offset[bpf_from] - 1; return to - from; } @@ -640,10 +640,11 @@ static int build_body(struct jit_ctx *ctx) const struct bpf_insn *insn = &prog->insnsi[i]; int ret; + ret = build_insn(insn, ctx); + if (ctx->image == NULL) ctx->offset[i] = ctx->idx; - ret = build_insn(insn, ctx); if (ret > 0) { i++; continue;