bpf: fix out of bounds access in verifier log

when the verifier log is enabled the print_bpf_insn() is doing bpf_alu_string[BPF_OP(insn->code) >> 4] and bpf_jmp_string[BPF_OP(insn->code) >> 4] where BPF_OP is a 4-bit instruction opcode. Malformed insns can cause out of bounds access. Fix it by sizing arrays appropriately. The bug was found by clang address sanitizer with libfuzzer. Reported-by: N Yonghong Song <yhs@plumgrid.com> Signed-off-by: N Alexei Starovoitov <ast@plumgrid.com> Acked-by: N Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: N David S. Miller <davem@davemloft.net>

bpf: fix out of bounds access in verifier log
when the verifier log is enabled the print_bpf_insn() is doing bpf_alu_string[BPF_OP(insn->code) >> 4] and bpf_jmp_string[BPF_OP(insn->code) >> 4] where BPF_OP is a 4-bit instruction opcode. Malformed insns can cause out of bounds access. Fix it by sizing arrays appropriately. The bug was found by clang address sanitizer with libfuzzer. Reported-by: N Yonghong Song <yhs@plumgrid.com> Signed-off-by: N Alexei Starovoitov <ast@plumgrid.com> Acked-by: N Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: N David S. Miller <davem@davemloft.net>
687f0715 · Alexei Starovoitov · David S. Miller · 6b9ea5a6 · 687f0715
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

kernel/bpf/verifier.c kernel/bpf/verifier.c +2 -2

未找到文件。
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -283,7 +283,7 @@ static const char *const bpf_class_string[] = {
 	[BPF_ALU64] = "alu64",
 };

-static const char *const bpf_alu_string[] = {
+static const char *const bpf_alu_string[16] = {
 	[BPF_ADD >> 4]  = "+=",
 	[BPF_SUB >> 4]  = "-=",
 	[BPF_MUL >> 4]  = "*=",
@@ -307,7 +307,7 @@ static const char *const bpf_ldst_string[] = {
 	[BPF_DW >> 3] = "u64",
 };

-static const char *const bpf_jmp_string[] = {
+static const char *const bpf_jmp_string[16] = {
 	[BPF_JA >> 4]   = "jmp",
 	[BPF_JEQ >> 4]  = "==",
 	[BPF_JGT >> 4]  = ">",