[PATCH AUTOSEL 5.4 55/57] bpf, x86_32: Fix incorrect encoding in BPF_LDX zero-extension

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Luke Nelson <lukenels@cs.washington.edu>,
	Xi Wang <xi.wang@gmail.com>, Luke Nelson <luke.r.nels@gmail.com>,
	Alexei Starovoitov <ast@kernel.org>,
	"H . Peter Anvin" <hpa@zytor.com>,
	Wang YanQing <udknight@gmail.com>,
	Sasha Levin <sashal@kernel.org>,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 55/57] bpf, x86_32: Fix incorrect encoding in BPF_LDX zero-extension
Date: Thu, 30 Apr 2020 09:52:16 -0400	[thread overview]
Message-ID: <20200430135218.20372-55-sashal@kernel.org> (raw)
In-Reply-To: <20200430135218.20372-1-sashal@kernel.org>

From: Luke Nelson <lukenels@cs.washington.edu>

[ Upstream commit 5fa9a98fb10380e48a398998cd36a85e4ef711d6 ]

The current JIT uses the following sequence to zero-extend into the
upper 32 bits of the destination register for BPF_LDX BPF_{B,H,W},
when the destination register is not on the stack:

  EMIT3(0xC7, add_1reg(0xC0, dst_hi), 0);

The problem is that C7 /0 encodes a MOV instruction that requires a 4-byte
immediate; the current code emits only 1 byte of the immediate. This
means that the first 3 bytes of the next instruction will be treated as
the rest of the immediate, breaking the stream of instructions.

This patch fixes the problem by instead emitting "xor dst_hi,dst_hi"
to clear the upper 32 bits. This fixes the problem and is more efficient
than using MOV to load a zero immediate.

This bug may not be currently triggerable as BPF_REG_AX is the only
register not stored on the stack and the verifier uses it in a limited
way, and the verifier implements a zero-extension optimization. But the
JIT should avoid emitting incorrect encodings regardless.

Fixes: 03f5781be2c7b ("bpf, x86_32: add eBPF JIT compiler for ia32")
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Acked-by: Wang YanQing <udknight@gmail.com>
Link: https://lore.kernel.org/bpf/20200422173630.8351-1-luke.r.nels@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/net/bpf_jit_comp32.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/x86/net/bpf_jit_comp32.c b/arch/x86/net/bpf_jit_comp32.c
index 4d2a7a7646026..cc9ad3892ea6b 100644
--- a/arch/x86/net/bpf_jit_comp32.c
+++ b/arch/x86/net/bpf_jit_comp32.c
@@ -1854,7 +1854,9 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,
 					      STACK_VAR(dst_hi));
 					EMIT(0x0, 4);
 				} else {
-					EMIT3(0xC7, add_1reg(0xC0, dst_hi), 0);
+					/* xor dst_hi,dst_hi */
+					EMIT2(0x33,
+					      add_2reg(0xC0, dst_hi, dst_hi));
 				}
 				break;
 			case BPF_DW:
-- 
2.20.1

next prev parent reply	other threads:[~2020-04-30 14:04 UTC|newest]

Thread overview: 82+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-30 13:51 [PATCH AUTOSEL 5.4 01/57] drm/bridge: analogix_dp: Split bind() into probe() and real bind() Sasha Levin
2020-04-30 13:51 ` Sasha Levin
2020-04-30 13:51 ` Sasha Levin
2020-04-30 13:51 ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 02/57] iio:ad7797: Use correct attribute_group Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 03/57] ASoC: topology: Check return value of soc_tplg_create_tlv Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 04/57] ASoC: topology: Check return value of soc_tplg_*_create Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 05/57] ASoC: topology: Check soc_tplg_add_route return value Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 06/57] ASoC: topology: Check return value of pcm_new_ver Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 07/57] ASoC: topology: Check return value of soc_tplg_dai_config Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 08/57] nfsd: memory corruption in nfsd4_lock() Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 09/57] selftests/ipc: Fix test failure seen after initial test run Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 10/57] drivers: soc: xilinx: fix firmware driver Kconfig dependency Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 11/57] ASoC: sgtl5000: Fix VAG power-on handling Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 12/57] ASoC: q6dsp6: q6afe-dai: add missing channels to MI2S DAIs Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 13/57] ASoC: topology: Fix endianness issue Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 14/57] usb: dwc3: gadget: Properly set maxpacket limit Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 15/57] usb: dwc3: gadget: Do link recovery for SS and SSP Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 16/57] ASoC: rsnd: Fix parent SSI start/stop in multi-SSI mode Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 17/57] ASoC: rsnd: Fix HDMI channel mapping for " Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 18/57] ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 19/57] ARM: dts: bcm283x: Disable dsi0 node Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 20/57] remoteproc: qcom_q6v5_mss: fix a bug in q6v5_probe() Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 21/57] usb: gadget: udc: atmel: Fix vbus disconnect handling Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 22/57] svcrdma: Fix trace point use-after-free race Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 23/57] ASoC: stm32: sai: fix sai probe Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 24/57] ASoC: SOF: Intel: add min/max channels for SSP on Baytrail/Broadwell Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 25/57] drm/amdgpu: Correctly initialize thermal controller for GPUs with Powerplay table v0 (e.g Hawaii) Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 26/57] wimax/i2400m: Fix potential urb refcnt leak Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 27/57] net: stmmac: fix enabling socfpga's ptp_ref_clock Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 28/57] net: stmmac: Fix sub-second increment Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 29/57] netfilter: nat: fix error handling upon registering inet hook Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 30/57] counter: 104-quad-8: Add lock guards - generic interface Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 31/57] ASoC: meson: axg-card: fix codec-to-codec link setup Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 32/57] ASoC: rsnd: Don't treat master SSI in multi SSI setup as parent Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 33/57] ASoC: rsnd: Fix "status check failed" spam for multi-SSI Sasha Levin
2020-04-30 13:51   ` Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 34/57] net/mlx5: Fix failing fw tracer allocation on s390 Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 35/57] net/mlx5e: Don't trigger IRQ multiple times on XSK wakeup to avoid WQ overruns Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 36/57] net/mlx5e: Get the latest values from counters in switchdev mode Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 37/57] cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled Sasha Levin
2020-04-30 13:51 ` [PATCH AUTOSEL 5.4 38/57] bpf: Forbid XADD on spilled pointers for unprivileged users Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 39/57] ASoC: wm8960: Fix wrong clock after suspend & resume Sasha Levin
2020-04-30 13:52   ` Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 40/57] cifs: protect updating server->dstaddr with a spinlock Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 41/57] blk-iocost: Fix error on iocost_ioc_vrate_adj Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 42/57] s390/ftrace: fix potential crashes when switching tracers Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 43/57] scripts/config: allow colons in option strings for sed Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 44/57] sched/core: Fix reset-on-fork from RT with uclamp Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 45/57] perf/core: fix parent pid/tid in task exit events Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 46/57] cifs: do not share tcons with DFS Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 47/57] tracing: Fix memory leaks in trace_events_hist.c Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 48/57] um: ensure `make ARCH=um mrproper` removes arch/$(SUBARCH)/include/generated/ Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 49/57] lib/mpi: Fix building for powerpc with clang Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 50/57] mac80211: sta_info: Add lockdep condition for RCU list usage Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 51/57] afs: Fix to actually set AFS_SERVER_FL_HAVE_EPOCH Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 52/57] afs: Make record checking use TASK_UNINTERRUPTIBLE when appropriate Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 53/57] net: bcmgenet: suppress warnings on failed Rx SKB allocations Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 54/57] net: systemport: " Sasha Levin
2020-04-30 13:52 ` Sasha Levin [this message]
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 56/57] bpf, x86_32: Fix clobbering of dst for BPF_JSET Sasha Levin
2020-04-30 13:52 ` [PATCH AUTOSEL 5.4 57/57] bpf, x86_32: Fix logic error in BPF_LDX zero-extension Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4d2a7a764602 dfblob:cc9ad3892ea6 )
 OR (
bs:"[PATCH AUTOSEL 5.4 55/57] bpf, x86_32: Fix incorrect encoding in BPF_LDX zero-extension" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200430135218.20372-55-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=ast@kernel.org \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luke.r.nels@gmail.com \
    --cc=lukenels@cs.washington.edu \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=udknight@gmail.com \
    --cc=xi.wang@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.