diff options
author | Yonghong Song <yonghong.song@linux.dev> | 2023-07-31 13:45:34 -0700 |
---|---|---|
committer | Quentin Monnet <qmonnet+github@qoba.lt> | 2023-08-29 12:34:13 +0100 |
commit | ef3c5db24ae1942d54b0e11743e5ad403d63600d (patch) | |
tree | 32a08f9e8656197226bf0a0045cf2d1c9e224d1e | |
parent | d9e40179aa8092c48e3b3d8d845f79c9f08fb49e (diff) | |
download | bpftool-ef3c5db24ae1942d54b0e11743e5ad403d63600d.tar.gz |
bpf: Fix an array-index-out-of-bounds issue in disasm.c
syzbot reported an array-index-out-of-bounds when printing out bpf
insns. Further investigation shows the insn is illegal but
is printed out due to log level 1 or 2 before actual insn verification
in do_check().
This particular illegal insn is a MOVSX insn with offset value 2.
The legal offset value for MOVSX should be 8, 16 and 32.
The disasm sign-extension-size array index is calculated as
(insn->off / 8) - 1
and offset value 2 gives an out-of-bound index -1.
Tighten the checking for MOVSX insn in disasm.c to avoid
array-index-out-of-bounds issue.
Reported-by: syzbot+3758842a6c01012aa73b@syzkaller.appspotmail.com
Fixes: f835bb622299 ("bpf: Add kernel/bpftool asm support for new instructions")
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20230731204534.1975311-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-rw-r--r-- | src/kernel/bpf/disasm.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/kernel/bpf/disasm.c b/src/kernel/bpf/disasm.c index d7bff60..ef7c107 100644 --- a/src/kernel/bpf/disasm.c +++ b/src/kernel/bpf/disasm.c @@ -162,7 +162,8 @@ static bool is_sdiv_smod(const struct bpf_insn *insn) static bool is_movsx(const struct bpf_insn *insn) { - return BPF_OP(insn->code) == BPF_MOV && insn->off != 0; + return BPF_OP(insn->code) == BPF_MOV && + (insn->off == 8 || insn->off == 16 || insn->off == 32); } void print_bpf_insn(const struct bpf_insn_cbs *cbs, |