From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 31B56A046B
	for <public@inbox.dpdk.org>; Fri, 23 Aug 2019 11:45:13 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 28AE11BFA1;
	Fri, 23 Aug 2019 11:45:13 +0200 (CEST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by dpdk.org (Postfix) with ESMTP id 5DC361BF4C
 for <stable@dpdk.org>; Fri, 23 Aug 2019 11:45:11 +0200 (CEST)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id C7DC4308FBA7;
 Fri, 23 Aug 2019 09:45:10 +0000 (UTC)
Received: from rh.redhat.com (ovpn-116-48.ams2.redhat.com [10.36.116.48])
 by smtp.corp.redhat.com (Postfix) with ESMTP id BB0455C226;
 Fri, 23 Aug 2019 09:45:09 +0000 (UTC)
From: Kevin Traynor <ktraynor@redhat.com>
To: Konstantin Ananyev <konstantin.ananyev@intel.com>
Cc: Michel Machado <michel@digirati.com.br>,
	dpdk stable <stable@dpdk.org>
Date: Fri, 23 Aug 2019 10:43:28 +0100
Message-Id: <20190823094336.12078-38-ktraynor@redhat.com>
In-Reply-To: <20190823094336.12078-1-ktraynor@redhat.com>
References: <20190823094336.12078-1-ktraynor@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.43]); Fri, 23 Aug 2019 09:45:10 +0000 (UTC)
Subject: [dpdk-stable] patch 'bpf: fix validate for function return value'
	has been queued to LTS release 18.11.3
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

Hi,

FYI, your patch has been queued to LTS release 18.11.3

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/28/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable-queue

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable-queue/commit/68d2a7f08c1b355a9295ba22a31f9aeb26da2c83

Thanks.

Kevin Traynor

---
>From 68d2a7f08c1b355a9295ba22a31f9aeb26da2c83 Mon Sep 17 00:00:00 2001
From: Konstantin Ananyev <konstantin.ananyev@intel.com>
Date: Wed, 3 Jul 2019 14:40:34 +0100
Subject: [PATCH] bpf: fix validate for function return value

[ upstream commit 4715bb162368cf75c5e8db62f54b5071b70d68f3 ]

eval_call() blindly calls eval_max_bound() for external function
return value for all return types.
That causes wrong estimation for returned pointer min and max boundaries.
So any attempt to dereference that pointer value causes verifier to fail
with error message: "memory boundary violation at pc: ...".
To fix - estimate min/max boundaries based on the return value type.

Bugzilla ID: 298

Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")

Reported-by: Michel Machado <michel@digirati.com.br>
Suggested-by: Michel Machado <michel@digirati.com.br>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 lib/librte_bpf/bpf_validate.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/librte_bpf/bpf_validate.c b/lib/librte_bpf/bpf_validate.c
index d0e683b5b..0cf41fa27 100644
--- a/lib/librte_bpf/bpf_validate.c
+++ b/lib/librte_bpf/bpf_validate.c
@@ -926,5 +926,4 @@ static const char *
 eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins)
 {
-	uint64_t msk;
 	uint32_t i, idx;
 	struct bpf_reg_val *rv;
@@ -959,8 +958,9 @@ eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins)
 	rv = bvf->evst->rv + EBPF_REG_0;
 	rv->v = xsym->func.ret;
-	msk = (rv->v.type == RTE_BPF_ARG_RAW) ?
-		RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t) : UINTPTR_MAX;
-	eval_max_bound(rv, msk);
-	rv->mask = msk;
+	if (rv->v.type == RTE_BPF_ARG_RAW)
+		eval_fill_max_bound(rv,
+			RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t));
+	else if (RTE_BPF_ARG_PTR_TYPE(rv->v.type) != 0)
+		eval_fill_imm64(rv, UINTPTR_MAX, 0);
 
 	return err;
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-08-22 19:38:22.921956273 +0100
+++ 0038-bpf-fix-validate-for-function-return-value.patch	2019-08-22 19:38:20.469026117 +0100
@@ -1 +1 @@
-From 4715bb162368cf75c5e8db62f54b5071b70d68f3 Mon Sep 17 00:00:00 2001
+From 68d2a7f08c1b355a9295ba22a31f9aeb26da2c83 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 4715bb162368cf75c5e8db62f54b5071b70d68f3 ]
+
@@ -16 +17,0 @@
-Cc: stable@dpdk.org