DPDK patches and discussions
 help / color / mirror / Atom feed
From: Konstantin Ananyev <konstantin.ananyev@intel.com>
To: dev@dpdk.org
Cc: michel@digirati.com.br,
	Konstantin Ananyev <konstantin.ananyev@intel.com>,
	stable@dpdk.org
Subject: [dpdk-dev] [PATCH 1/2] bpf: fix validate for function return value
Date: Wed,  3 Jul 2019 14:40:34 +0100	[thread overview]
Message-ID: <20190703134035.4773-2-konstantin.ananyev@intel.com> (raw)
In-Reply-To: <20190703134035.4773-1-konstantin.ananyev@intel.com>

eval_call() blindly calls eval_max_bound() for external function
return value for all return types.
That causes wrong estimation for returned pointer min and max boundaries.
So any attempt to dereference that pointer value causes verifier to fail
with error message: "memory boundary violation at pc: ...".
To fix - estimate min/max boundaries based on the return value type.

For more details please refer to:
https://bugs.dpdk.org/show_bug.cgi?id=298

Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org

Reported-by: Michel Machado <michel@digirati.com.br>
Suggested-by: Michel Machado <michel@digirati.com.br>
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 lib/librte_bpf/bpf_validate.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/librte_bpf/bpf_validate.c b/lib/librte_bpf/bpf_validate.c
index d0e683b5b..0cf41fa27 100644
--- a/lib/librte_bpf/bpf_validate.c
+++ b/lib/librte_bpf/bpf_validate.c
@@ -925,7 +925,6 @@ eval_func_arg(struct bpf_verifier *bvf, const struct rte_bpf_arg *arg,
 static const char *
 eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins)
 {
-	uint64_t msk;
 	uint32_t i, idx;
 	struct bpf_reg_val *rv;
 	const struct rte_bpf_xsym *xsym;
@@ -958,10 +957,11 @@ eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins)
 
 	rv = bvf->evst->rv + EBPF_REG_0;
 	rv->v = xsym->func.ret;
-	msk = (rv->v.type == RTE_BPF_ARG_RAW) ?
-		RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t) : UINTPTR_MAX;
-	eval_max_bound(rv, msk);
-	rv->mask = msk;
+	if (rv->v.type == RTE_BPF_ARG_RAW)
+		eval_fill_max_bound(rv,
+			RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t));
+	else if (RTE_BPF_ARG_PTR_TYPE(rv->v.type) != 0)
+		eval_fill_imm64(rv, UINTPTR_MAX, 0);
 
 	return err;
 }
-- 
2.17.1


  reply	other threads:[~2019-07-03 13:40 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-03 13:40 [dpdk-dev] [PATCH 0/2] bpf: fix and new test-case Konstantin Ananyev
2019-07-03 13:40 ` Konstantin Ananyev [this message]
2019-07-03 13:40 ` [dpdk-dev] [PATCH 2/2] test/bpf: add test-case for function return value Konstantin Ananyev
2019-07-04  9:07 ` [dpdk-dev] [PATCH 0/2] bpf: fix and new test-case Thomas Monjalon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190703134035.4773-2-konstantin.ananyev@intel.com \
    --to=konstantin.ananyev@intel.com \
    --cc=dev@dpdk.org \
    --cc=michel@digirati.com.br \
    --cc=stable@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).