Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 95782bf4 authored by Markos Chandras's avatar Markos Chandras Committed by Ralf Baechle
Browse files

MIPS: BPF: Prevent kernel fall over for >=32bit shifts 



Remove BUG_ON() if the shift immediate is >=32 to avoid kernel crashes
due to malicious user input. If the shift immediate is >= 32,
we simply load the destination register with 0 since only
32-bit instructions are used by JIT so this will do the
correct thing even on MIPS64.

Signed-off-by: default avatarMarkos Chandras <markos.chandras@imgtec.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: netdev@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7179/


Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
parent e5bb48b0

arch/mips/net/bpf_jit.c

+12 −4
Original line number Diff line number Diff line
@@ -151,6 +151,8 @@ static inline int optimize_div(u32 *k) 
	return 0;

}



static inline void emit_jit_reg_move(ptr dst, ptr src, struct jit_ctx *ctx);



/* Simply emit the instruction if the JIT memory space has been allocated */

#define emit_instr(ctx, func, ...)			\

do {							\
@@ -309,7 +311,10 @@ static inline void emit_sll(unsigned int dst, unsigned int src, 
			    unsigned int sa, struct jit_ctx *ctx)

{

	/* sa is 5-bits long */

	BUG_ON(sa >= BIT(5));

	if (sa >= BIT(5))

		/* Shifting >= 32 results in zero */

		emit_jit_reg_move(dst, r_zero, ctx);

	else

		emit_instr(ctx, sll, dst, src, sa);

}
@@ -323,7 +328,10 @@ static inline void emit_srl(unsigned int dst, unsigned int src, 
			    unsigned int sa, struct jit_ctx *ctx)

{

	/* sa is 5-bits long */

	BUG_ON(sa >= BIT(5));

	if (sa >= BIT(5))

		/* Shifting >= 32 results in zero */

		emit_jit_reg_move(dst, r_zero, ctx);

	else

		emit_instr(ctx, srl, dst, src, sa);

}