diff options
author | Alexei Starovoitov <ast@plumgrid.com> | 2015-09-08 13:40:01 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2015-09-09 14:11:55 -0700 |
commit | 687f07156b0c99205c21aa4e2986564046d342fe (patch) | |
tree | 668c2682acff45a945833a56f80f8282a98ae8fd | |
parent | 6b9ea5a64ed5eeb3f68f2e6fcce0ed1179801d1e (diff) | |
download | op-kernel-dev-687f07156b0c99205c21aa4e2986564046d342fe.zip op-kernel-dev-687f07156b0c99205c21aa4e2986564046d342fe.tar.gz |
bpf: fix out of bounds access in verifier log
when the verifier log is enabled the print_bpf_insn() is doing
bpf_alu_string[BPF_OP(insn->code) >> 4]
and
bpf_jmp_string[BPF_OP(insn->code) >> 4]
where BPF_OP is a 4-bit instruction opcode.
Malformed insns can cause out of bounds access.
Fix it by sizing arrays appropriately.
The bug was found by clang address sanitizer with libfuzzer.
Reported-by: Yonghong Song <yhs@plumgrid.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | kernel/bpf/verifier.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index ed12e38..b074b23 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -283,7 +283,7 @@ static const char *const bpf_class_string[] = { [BPF_ALU64] = "alu64", }; -static const char *const bpf_alu_string[] = { +static const char *const bpf_alu_string[16] = { [BPF_ADD >> 4] = "+=", [BPF_SUB >> 4] = "-=", [BPF_MUL >> 4] = "*=", @@ -307,7 +307,7 @@ static const char *const bpf_ldst_string[] = { [BPF_DW >> 3] = "u64", }; -static const char *const bpf_jmp_string[] = { +static const char *const bpf_jmp_string[16] = { [BPF_JA >> 4] = "jmp", [BPF_JEQ >> 4] = "==", [BPF_JGT >> 4] = ">", |