From patchwork Tue Sep 8 20:40:01 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 515546 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 47C8E140338 for ; Wed, 9 Sep 2015 06:40:14 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753520AbbIHUkI (ORCPT ); Tue, 8 Sep 2015 16:40:08 -0400 Received: from mail-pa0-f43.google.com ([209.85.220.43]:35197 "EHLO mail-pa0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753191AbbIHUkH (ORCPT ); Tue, 8 Sep 2015 16:40:07 -0400 Received: by pacfv12 with SMTP id fv12so136688388pac.2 for ; Tue, 08 Sep 2015 13:40:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=NIzdR3akBJ1Fy0st1Hf4RpnF4dT02EEy898p4vj4etA=; b=Whrjk65MKMRHcCKBfBHCMmRfClOrLkxY8fNyjJZNGx1P+r0mWDUhp1CjS7hnLhjLe0 +9ZTGQQJ4Puo0CCOKcbSpuZF48C4q7YiYum6/wOTdyQQ5mSvcyOgqdZZuLiwxjCpg2t8 3We/LyMt+gPuTPoJKtMlLf24B1RwuS1MRf1PJJslKD7f6RgGDvV9f1atZVN6J0qHlQQz miELpc/HqOUE/L3mK2WE83IHrNz12XIIMp08jRr4BfizRr6cStyjLl2KRyfNDeUTS6nr Q39uaMnFGvMjI78gfC2fU/v9puQ8HR2c9tmAH+7GBbfWdbPKKg+0GPKxoVpNDyo4MkBZ 6Y/g== X-Gm-Message-State: ALoCoQkT6tOqofLjys000fZw9Z9jPVtTYd3cwGldcNPdxfiw7cRseDMpYjir95OXwmVajwm16BHa X-Received: by 10.66.162.66 with SMTP id xy2mr17774090pab.55.1441744806780; Tue, 08 Sep 2015 13:40:06 -0700 (PDT) Received: from localhost.localdomain ([12.97.19.195]) by smtp.gmail.com with ESMTPSA id j4sm4465534pdk.9.2015.09.08.13.40.05 (version=TLS1_1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 08 Sep 2015 13:40:06 -0700 (PDT) From: Alexei Starovoitov To: "David S. Miller" Cc: Daniel Borkmann , Yonghong Song , netdev@vger.kernel.org Subject: [PATCH net] bpf: fix out of bounds access in verifier log Date: Tue, 8 Sep 2015 13:40:01 -0700 Message-Id: <1441744801-15537-1-git-send-email-ast@plumgrid.com> X-Mailer: git-send-email 1.7.9.5 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org when the verifier log is enabled the print_bpf_insn() is doing bpf_alu_string[BPF_OP(insn->code) >> 4] and bpf_jmp_string[BPF_OP(insn->code) >> 4] where BPF_OP is a 4-bit instruction opcode. Malformed insns can cause out of bounds access. Fix it by sizing arrays appropriately. The bug was found by clang address sanitizer with libfuzzer. Reported-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Daniel Borkmann --- fyi sanitizer error looks like: ... 27 invalid dst register in STX OK 28 invalid dst register in ST OK 29 invalid src register in LDX OK 30 invalid dst register in LDX OK 31 junk insn OK 32 junk insn2 OK ================================================================= ==52730==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000500c58 READ of size 8 at 0x000000500c58 thread T0 #0 0x4e480b in print_bpf_insn verifier.c:332:5 #1 0x4e1bcb in do_check verifier.c:1657:4 ... 0x000000500c58 is located 8 bytes to the right of global variable 'bpf_alu_string' defined in 'verifier.c:286:26' (0x500be0) of size 112 --- kernel/bpf/verifier.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index ed12e385fb75..b074b23000d6 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -283,7 +283,7 @@ static const char *const bpf_class_string[] = { [BPF_ALU64] = "alu64", }; -static const char *const bpf_alu_string[] = { +static const char *const bpf_alu_string[16] = { [BPF_ADD >> 4] = "+=", [BPF_SUB >> 4] = "-=", [BPF_MUL >> 4] = "*=", @@ -307,7 +307,7 @@ static const char *const bpf_ldst_string[] = { [BPF_DW >> 3] = "u64", }; -static const char *const bpf_jmp_string[] = { +static const char *const bpf_jmp_string[16] = { [BPF_JA >> 4] = "jmp", [BPF_JEQ >> 4] = "==", [BPF_JGT >> 4] = ">",