net: bpf: reject invalid shifts
authorRabin Vincent <rabin@rab.in>
Tue, 12 Jan 2016 19:17:08 +0000 (20:17 +0100)
committerDavid S. Miller <davem@davemloft.net>
Tue, 12 Jan 2016 20:55:39 +0000 (15:55 -0500)
On ARM64, a BUG() is triggered in the eBPF JIT if a filter with a
constant shift that can't be encoded in the immediate field of the
UBFM/SBFM instructions is passed to the JIT.  Since these shifts
amounts, which are negative or >= regsize, are invalid, reject them in
the eBPF verifier and the classic BPF filter checker, for all
architectures.

Signed-off-by: Rabin Vincent <rabin@rab.in>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
kernel/bpf/verifier.c
net/core/filter.c

index a7945d10b378bed8eb7243bd52923d232b1f49de..d1d3e8f57de907764fe3080632062485f5639443 100644 (file)
@@ -1121,6 +1121,16 @@ static int check_alu_op(struct verifier_env *env, struct bpf_insn *insn)
                        return -EINVAL;
                }
 
+               if ((opcode == BPF_LSH || opcode == BPF_RSH ||
+                    opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
+                       int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
+
+                       if (insn->imm < 0 || insn->imm >= size) {
+                               verbose("invalid shift %d\n", insn->imm);
+                               return -EINVAL;
+                       }
+               }
+
                /* pattern match 'bpf_add Rx, imm' instruction */
                if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 &&
                    regs[insn->dst_reg].type == FRAME_PTR &&
index 672eefbfbe99fff2ade1bd2a095fb2366a2d2c0b..37157c4c1a78de437ee753a889cbdf2ebb160323 100644 (file)
@@ -777,6 +777,11 @@ static int bpf_check_classic(const struct sock_filter *filter,
                        if (ftest->k == 0)
                                return -EINVAL;
                        break;
+               case BPF_ALU | BPF_LSH | BPF_K:
+               case BPF_ALU | BPF_RSH | BPF_K:
+                       if (ftest->k >= 32)
+                               return -EINVAL;
+                       break;
                case BPF_LD | BPF_MEM:
                case BPF_LDX | BPF_MEM:
                case BPF_ST: