diff mbox series

[1/2] bpf: fix validate for function return value

Message ID	20190703134035.4773-2-konstantin.ananyev@intel.com (mailing list archive)
State	Accepted, archived
Delegated to:	Thomas Monjalon
Headers	From: Konstantin Ananyev <konstantin.ananyev@intel.com> To: dev@dpdk.org Cc: michel@digirati.com.br, Konstantin Ananyev <konstantin.ananyev@intel.com>, stable@dpdk.org Date: Wed, 3 Jul 2019 14:40:34 +0100 Message-Id: <20190703134035.4773-2-konstantin.ananyev@intel.com> In-Reply-To: <20190703134035.4773-1-konstantin.ananyev@intel.com> References: <20190703134035.4773-1-konstantin.ananyev@intel.com> Subject: [dpdk-dev] [PATCH 1/2] bpf: fix validate for function return value Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>
Series	bpf: fix and new test-case \| [0/2] bpf: fix and new test-case [1/2] bpf: fix validate for function return value [2/2] test/bpf: add test-case for function return value

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/intel-Performance-Testing	success	Performance Testing PASS
ci/mellanox-Performance-Testing	success	Performance Testing PASS
ci/Intel-compilation	fail	Compilation issues

Commit Message

Ananyev, Konstantin July 3, 2019, 1:40 p.m. UTC

  eval_call() blindly calls eval_max_bound() for external function
return value for all return types.
That causes wrong estimation for returned pointer min and max boundaries.
So any attempt to dereference that pointer value causes verifier to fail
with error message: "memory boundary violation at pc: ...".
To fix - estimate min/max boundaries based on the return value type.

For more details please refer to:
https://bugs.dpdk.org/show_bug.cgi?id=298

Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org

Reported-by: Michel Machado <michel@digirati.com.br>
Suggested-by: Michel Machado <michel@digirati.com.br>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 lib/librte_bpf/bpf_validate.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff mbox series

Patch

diff --git a/lib/librte_bpf/bpf_validate.c b/lib/librte_bpf/bpf_validate.c
index d0e683b5b..0cf41fa27 100644
--- a/lib/librte_bpf/bpf_validate.c
+++ b/lib/librte_bpf/bpf_validate.c
@@ -925,7 +925,6 @@  eval_func_arg(struct bpf_verifier *bvf, const struct rte_bpf_arg *arg,
 static const char *
 eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins)
 {
-	uint64_t msk;
 	uint32_t i, idx;
 	struct bpf_reg_val *rv;
 	const struct rte_bpf_xsym *xsym;
@@ -958,10 +957,11 @@  eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins)
 
 	rv = bvf->evst->rv + EBPF_REG_0;
 	rv->v = xsym->func.ret;
-	msk = (rv->v.type == RTE_BPF_ARG_RAW) ?
-		RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t) : UINTPTR_MAX;
-	eval_max_bound(rv, msk);
-	rv->mask = msk;
+	if (rv->v.type == RTE_BPF_ARG_RAW)
+		eval_fill_max_bound(rv,
+			RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t));
+	else if (RTE_BPF_ARG_PTR_TYPE(rv->v.type) != 0)
+		eval_fill_imm64(rv, UINTPTR_MAX, 0);
 
 	return err;
 }