Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 06928b38 authored Jan 12, 2016 by Rabin Vincent Committed by David S. Miller Jan 12, 2016

net: bpf: reject invalid shifts



On ARM64, a BUG() is triggered in the eBPF JIT if a filter with a
constant shift that can't be encoded in the immediate field of the
UBFM/SBFM instructions is passed to the JIT.  Since these shifts
amounts, which are negative or >= regsize, are invalid, reject them in
the eBPF verifier and the classic BPF filter checker, for all
architectures.

Signed-off-by: Rabin Vincent <rabin@rab.in>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 03d84a5f

kernel/bpf/verifier.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -1121,6 +1121,16 @@ static int check_alu_op(struct verifier_env env, struct bpf_insn insn)
		return -EINVAL;
		}

		if ((opcode == BPF_LSH \|\| opcode == BPF_RSH \|\|
		opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
		int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;

		if (insn->imm < 0 \|\| insn->imm >= size) {
		verbose("invalid shift %d\n", insn->imm);
		return -EINVAL;
		}
		}

		/* pattern match 'bpf_add Rx, imm' instruction */
		if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 &&
		regs[insn->dst_reg].type == FRAME_PTR &&

net/core/filter.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -777,6 +777,11 @@ static int bpf_check_classic(const struct sock_filter *filter,
		if (ftest->k == 0)
		return -EINVAL;
		break;
		case BPF_ALU \| BPF_LSH \| BPF_K:
		case BPF_ALU \| BPF_RSH \| BPF_K:
		if (ftest->k >= 32)
		return -EINVAL;
		break;
		case BPF_LD \| BPF_MEM:
		case BPF_LDX \| BPF_MEM:
		case BPF_ST: