d/numam-dpdk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bpf: fix validate for function return value

Browse Source 
eval_call() blindly calls eval_max_bound() for external function
return value for all return types.
That causes wrong estimation for returned pointer min and max boundaries.
So any attempt to dereference that pointer value causes verifier to fail
with error message: "memory boundary violation at pc: ...".
To fix - estimate min/max boundaries based on the return value type.

Bugzilla ID: 298

Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org

Reported-by: Michel Machado <michel@digirati.com.br>
Suggested-by: Michel Machado <michel@digirati.com.br>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
This commit is contained in:
Konstantin Ananyev 2019-07-03 14:40:34 +01:00 committed by Thomas Monjalon
parent 0a92e63fc4
commit 4715bb1623
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/librte_bpf/bpf_validate.c
View File

@ -925,7 +925,6 @@ eval_func_arg(struct bpf_verifier *bvf, const struct rte_bpf_arg *arg,
static const char *
eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins)
{
uint64_t msk;
uint32_t i, idx;
struct bpf_reg_val *rv;
const struct rte_bpf_xsym *xsym;
@ -958,10 +957,11 @@ eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins)
rv = bvf->evst->rv + EBPF_REG_0;
rv->v = xsym->func.ret;
msk = (rv->v.type == RTE_BPF_ARG_RAW) ?
RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t) : UINTPTR_MAX;
eval_max_bound(rv, msk);
rv->mask = msk;
if (rv->v.type == RTE_BPF_ARG_RAW)
eval_fill_max_bound(rv,
RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t));
else if (RTE_BPF_ARG_PTR_TYPE(rv->v.type) != 0)
eval_fill_imm64(rv, UINTPTR_MAX, 0);
return err;
}