From: Alexei Starovoitov <ast@plumgrid.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
Yonghong Song <yhs@plumgrid.com>,
netdev@vger.kernel.org
Subject: [PATCH net] bpf: fix out of bounds access in verifier log
Date: Tue, 8 Sep 2015 13:40:01 -0700 [thread overview]
Message-ID: <1441744801-15537-1-git-send-email-ast@plumgrid.com> (raw)
when the verifier log is enabled the print_bpf_insn() is doing
bpf_alu_string[BPF_OP(insn->code) >> 4]
and
bpf_jmp_string[BPF_OP(insn->code) >> 4]
where BPF_OP is a 4-bit instruction opcode.
Malformed insns can cause out of bounds access.
Fix it by sizing arrays appropriately.
The bug was found by clang address sanitizer with libfuzzer.
Reported-by: Yonghong Song <yhs@plumgrid.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
---
fyi sanitizer error looks like:
...
27 invalid dst register in STX OK
28 invalid dst register in ST OK
29 invalid src register in LDX OK
30 invalid dst register in LDX OK
31 junk insn OK
32 junk insn2 OK
=================================================================
==52730==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000500c58
READ of size 8 at 0x000000500c58 thread T0
#0 0x4e480b in print_bpf_insn verifier.c:332:5
#1 0x4e1bcb in do_check verifier.c:1657:4
...
0x000000500c58 is located 8 bytes to the right of global variable 'bpf_alu_string'
defined in 'verifier.c:286:26' (0x500be0) of size 112
---
kernel/bpf/verifier.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ed12e385fb75..b074b23000d6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -283,7 +283,7 @@ static const char *const bpf_class_string[] = {
[BPF_ALU64] = "alu64",
};
-static const char *const bpf_alu_string[] = {
+static const char *const bpf_alu_string[16] = {
[BPF_ADD >> 4] = "+=",
[BPF_SUB >> 4] = "-=",
[BPF_MUL >> 4] = "*=",
@@ -307,7 +307,7 @@ static const char *const bpf_ldst_string[] = {
[BPF_DW >> 3] = "u64",
};
-static const char *const bpf_jmp_string[] = {
+static const char *const bpf_jmp_string[16] = {
[BPF_JA >> 4] = "jmp",
[BPF_JEQ >> 4] = "==",
[BPF_JGT >> 4] = ">",
--
1.7.9.5
next reply other threads:[~2015-09-08 20:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-08 20:40 Alexei Starovoitov [this message]
2015-09-08 21:00 ` [PATCH net] bpf: fix out of bounds access in verifier log Daniel Borkmann
2015-09-09 21:12 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1441744801-15537-1-git-send-email-ast@plumgrid.com \
--to=ast@plumgrid.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=yhs@plumgrid.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).