Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1c16fd57 authored by Naveen N. Rao's avatar Naveen N. Rao Committed by Greg Kroah-Hartman
Browse files

powerpc/bpf: Validate branch ranges 



upstream commit 3832ba4e283d7052b783dab8311df7e3590fed93

Add checks to ensure that we never emit branch instructions with
truncated branch offsets.

Suggested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
Signed-off-by: default avatarNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Tested-by: default avatarJohan Almbladh <johan.almbladh@anyfinetworks.com>
Reviewed-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
Acked-by: default avatarSong Liu <songliubraving@fb.com>
Acked-by: default avatarJohan Almbladh <johan.almbladh@anyfinetworks.com>
Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/71d33a6b7603ec1013c9734dd8bdd4ff5e929142.1633464148.git.naveen.n.rao@linux.vnet.ibm.com


[include header, drop ppc32 changes]
Signed-off-by: default avatarNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 807e3f7e

arch/powerpc/net/bpf_jit.h

+20 −6
Original line number Diff line number Diff line
@@ -15,6 +15,7 @@ 
#ifndef __ASSEMBLY__



#include <asm/types.h>

#include <asm/code-patching.h>



#ifdef PPC64_ELF_ABI_v1

#define FUNCTION_DESCR_SIZE	24
@@ -176,13 +177,26 @@ 
#define PPC_NEG(d, a)		EMIT(PPC_INST_NEG | ___PPC_RT(d) | ___PPC_RA(a))



/* Long jump; (unconditional 'branch') */

#define PPC_JMP(dest)		EMIT(PPC_INST_BRANCH |			      \

				     (((dest) - (ctx->idx * 4)) & 0x03fffffc))

#define PPC_JMP(dest)							      \

	do {								      \

		long offset = (long)(dest) - (ctx->idx * 4);		      \

		if (!is_offset_in_branch_range(offset)) {		      \

			pr_err_ratelimited("Branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx);			\

			return -ERANGE;					      \

		}							      \

		EMIT(PPC_INST_BRANCH | (offset & 0x03fffffc));		      \

	} while (0)

/* "cond" here covers BO:BI fields. */

#define PPC_BCC_SHORT(cond, dest)	EMIT(PPC_INST_BRANCH_COND |	      \

					     (((cond) & 0x3ff) << 16) |	      \

					     (((dest) - (ctx->idx * 4)) &     \

					      0xfffc))

#define PPC_BCC_SHORT(cond, dest)					      \

	do {								      \

		long offset = (long)(dest) - (ctx->idx * 4);		      \

		if (!is_offset_in_cond_branch_range(offset)) {		      \

			pr_err_ratelimited("Conditional branch offset 0x%lx (@%u) out of range\n", offset, ctx->idx);		\

			return -ERANGE;					      \

		}							      \

		EMIT(PPC_INST_BRANCH_COND | (((cond) & 0x3ff) << 16) | (offset & 0xfffc));					\

	} while (0)



/* Sign-extended 32-bit immediate load */

#define PPC_LI32(d, i)		do {					      \

		if ((int)(uintptr_t)(i) >= -32768 &&			      \

arch/powerpc/net/bpf_jit_comp64.c

+7 −3
Original line number Diff line number Diff line
@@ -202,7 +202,7 @@ static void bpf_jit_emit_func_call(u32 *image, struct codegen_context *ctx, u64 
	PPC_BLRL();

}



static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)

static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 out)

{

	/*

	 * By now, the eBPF program has already setup parameters in r3, r4 and r5
@@ -263,7 +263,9 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 
	bpf_jit_emit_common_epilogue(image, ctx);



	PPC_BCTR();



	/* out: */

	return 0;

}



/* Assemble the body code between the prologue & epilogue */
@@ -273,7 +275,7 @@ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, 
{

	const struct bpf_insn *insn = fp->insnsi;

	int flen = fp->len;

	int i;

	int i, ret;



	/* Start of epilogue code - will only be valid 2nd pass onwards */

	u32 exit_addr = addrs[flen];
@@ -863,7 +865,9 @@ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image, 
		 */

		case BPF_JMP | BPF_TAIL_CALL:

			ctx->seen |= SEEN_TAILCALL;

			bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);

			ret = bpf_jit_emit_tail_call(image, ctx, addrs[i + 1]);

			if (ret < 0)

				return ret;

			break;



		default: