From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 04CDFA0487 for ; Wed, 3 Jul 2019 15:40:58 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 44F982956; Wed, 3 Jul 2019 15:40:51 +0200 (CEST) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by dpdk.org (Postfix) with ESMTP id B06212AB; Wed, 3 Jul 2019 15:40:47 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Jul 2019 06:40:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.63,446,1557212400"; d="scan'208";a="362631942" Received: from sivswdev08.ir.intel.com ([10.237.217.47]) by fmsmga005.fm.intel.com with ESMTP; 03 Jul 2019 06:40:40 -0700 From: Konstantin Ananyev To: dev@dpdk.org Cc: michel@digirati.com.br, Konstantin Ananyev , stable@dpdk.org Date: Wed, 3 Jul 2019 14:40:34 +0100 Message-Id: <20190703134035.4773-2-konstantin.ananyev@intel.com> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20190703134035.4773-1-konstantin.ananyev@intel.com> References: <20190703134035.4773-1-konstantin.ananyev@intel.com> Subject: [dpdk-dev] [PATCH 1/2] bpf: fix validate for function return value X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" eval_call() blindly calls eval_max_bound() for external function return value for all return types. That causes wrong estimation for returned pointer min and max boundaries. So any attempt to dereference that pointer value causes verifier to fail with error message: "memory boundary violation at pc: ...". To fix - estimate min/max boundaries based on the return value type. For more details please refer to: https://bugs.dpdk.org/show_bug.cgi?id=298 Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program") Cc: stable@dpdk.org Reported-by: Michel Machado Suggested-by: Michel Machado Signed-off-by: Konstantin Ananyev --- lib/librte_bpf/bpf_validate.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/librte_bpf/bpf_validate.c b/lib/librte_bpf/bpf_validate.c index d0e683b5b..0cf41fa27 100644 --- a/lib/librte_bpf/bpf_validate.c +++ b/lib/librte_bpf/bpf_validate.c @@ -925,7 +925,6 @@ eval_func_arg(struct bpf_verifier *bvf, const struct rte_bpf_arg *arg, static const char * eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins) { - uint64_t msk; uint32_t i, idx; struct bpf_reg_val *rv; const struct rte_bpf_xsym *xsym; @@ -958,10 +957,11 @@ eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins) rv = bvf->evst->rv + EBPF_REG_0; rv->v = xsym->func.ret; - msk = (rv->v.type == RTE_BPF_ARG_RAW) ? - RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t) : UINTPTR_MAX; - eval_max_bound(rv, msk); - rv->mask = msk; + if (rv->v.type == RTE_BPF_ARG_RAW) + eval_fill_max_bound(rv, + RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t)); + else if (RTE_BPF_ARG_PTR_TYPE(rv->v.type) != 0) + eval_fill_imm64(rv, UINTPTR_MAX, 0); return err; } -- 2.17.1