From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 31B56A046B for ; Fri, 23 Aug 2019 11:45:13 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 28AE11BFA1; Fri, 23 Aug 2019 11:45:13 +0200 (CEST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id 5DC361BF4C for ; Fri, 23 Aug 2019 11:45:11 +0200 (CEST) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C7DC4308FBA7; Fri, 23 Aug 2019 09:45:10 +0000 (UTC) Received: from rh.redhat.com (ovpn-116-48.ams2.redhat.com [10.36.116.48]) by smtp.corp.redhat.com (Postfix) with ESMTP id BB0455C226; Fri, 23 Aug 2019 09:45:09 +0000 (UTC) From: Kevin Traynor To: Konstantin Ananyev Cc: Michel Machado , dpdk stable Date: Fri, 23 Aug 2019 10:43:28 +0100 Message-Id: <20190823094336.12078-38-ktraynor@redhat.com> In-Reply-To: <20190823094336.12078-1-ktraynor@redhat.com> References: <20190823094336.12078-1-ktraynor@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Fri, 23 Aug 2019 09:45:10 +0000 (UTC) Subject: [dpdk-stable] patch 'bpf: fix validate for function return value' has been queued to LTS release 18.11.3 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to LTS release 18.11.3 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 08/28/19. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/kevintraynor/dpdk-stable-queue This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable-queue/commit/68d2a7f08c1b355a9295ba22a31f9aeb26da2c83 Thanks. Kevin Traynor --- >From 68d2a7f08c1b355a9295ba22a31f9aeb26da2c83 Mon Sep 17 00:00:00 2001 From: Konstantin Ananyev Date: Wed, 3 Jul 2019 14:40:34 +0100 Subject: [PATCH] bpf: fix validate for function return value [ upstream commit 4715bb162368cf75c5e8db62f54b5071b70d68f3 ] eval_call() blindly calls eval_max_bound() for external function return value for all return types. That causes wrong estimation for returned pointer min and max boundaries. So any attempt to dereference that pointer value causes verifier to fail with error message: "memory boundary violation at pc: ...". To fix - estimate min/max boundaries based on the return value type. Bugzilla ID: 298 Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program") Reported-by: Michel Machado Suggested-by: Michel Machado Signed-off-by: Konstantin Ananyev --- lib/librte_bpf/bpf_validate.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/librte_bpf/bpf_validate.c b/lib/librte_bpf/bpf_validate.c index d0e683b5b..0cf41fa27 100644 --- a/lib/librte_bpf/bpf_validate.c +++ b/lib/librte_bpf/bpf_validate.c @@ -926,5 +926,4 @@ static const char * eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins) { - uint64_t msk; uint32_t i, idx; struct bpf_reg_val *rv; @@ -959,8 +958,9 @@ eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins) rv = bvf->evst->rv + EBPF_REG_0; rv->v = xsym->func.ret; - msk = (rv->v.type == RTE_BPF_ARG_RAW) ? - RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t) : UINTPTR_MAX; - eval_max_bound(rv, msk); - rv->mask = msk; + if (rv->v.type == RTE_BPF_ARG_RAW) + eval_fill_max_bound(rv, + RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t)); + else if (RTE_BPF_ARG_PTR_TYPE(rv->v.type) != 0) + eval_fill_imm64(rv, UINTPTR_MAX, 0); return err; -- 2.20.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2019-08-22 19:38:22.921956273 +0100 +++ 0038-bpf-fix-validate-for-function-return-value.patch 2019-08-22 19:38:20.469026117 +0100 @@ -1 +1 @@ -From 4715bb162368cf75c5e8db62f54b5071b70d68f3 Mon Sep 17 00:00:00 2001 +From 68d2a7f08c1b355a9295ba22a31f9aeb26da2c83 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 4715bb162368cf75c5e8db62f54b5071b70d68f3 ] + @@ -16 +17,0 @@ -Cc: stable@dpdk.org