DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [Bug 298] BPF: eval_call() is messing bounds of return types different of RTE_BPF_ARG_RAW
@ 2019-06-27 14:58 bugzilla
  2019-07-05 19:16 ` bugzilla
  0 siblings, 1 reply; 2+ messages in thread
From: bugzilla @ 2019-06-27 14:58 UTC (permalink / raw)
  To: dev

https://bugs.dpdk.org/show_bug.cgi?id=298

            Bug ID: 298
           Summary: BPF: eval_call() is messing bounds of return types
                    different of RTE_BPF_ARG_RAW
           Product: DPDK
           Version: 19.08
          Hardware: All
                OS: All
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: other
          Assignee: dev@dpdk.org
          Reporter: michel@digirati.com.br
  Target Milestone: ---

Created attachment 42
  --> https://bugs.dpdk.org/attachment.cgi?id=42&action=edit
Patch eval_call() in lib/librte_bpf/bpf_validate.c

eval_call() in lib/librte_bpf/bpf_validate.c calls eval_max_bound() on the BPF
return value for all types. This makes the verifier fails when a BPF helper
function returns a pointer that is later dereferenced. The error message when
this happens should be similar to this one: evaluate: memory boundary violation
at pc: 7.

evaluate() in the same file only calls eval_max_bound() on the parameter of the
BPF program when its type is RTE_BPF_ARG_RAW. Based on this knowledge, I tested
the attached patch and it works. But I'm not knowledgable enough on librte_bpf
to know if this is the correct way to solve this problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-07-05 19:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-27 14:58 [dpdk-dev] [Bug 298] BPF: eval_call() is messing bounds of return types different of RTE_BPF_ARG_RAW bugzilla
2019-07-05 19:16 ` bugzilla

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).