From 4715bb162368cf75c5e8db62f54b5071b70d68f3 Mon Sep 17 00:00:00 2001 From: Konstantin Ananyev Date: Wed, 3 Jul 2019 14:40:34 +0100 Subject: [PATCH] bpf: fix validate for function return value eval_call() blindly calls eval_max_bound() for external function return value for all return types. That causes wrong estimation for returned pointer min and max boundaries. So any attempt to dereference that pointer value causes verifier to fail with error message: "memory boundary violation at pc: ...". To fix - estimate min/max boundaries based on the return value type. Bugzilla ID: 298 Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program") Cc: stable@dpdk.org Reported-by: Michel Machado Suggested-by: Michel Machado Signed-off-by: Konstantin Ananyev --- lib/librte_bpf/bpf_validate.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/librte_bpf/bpf_validate.c b/lib/librte_bpf/bpf_validate.c index d0e683b5b2..0cf41fa27c 100644 --- a/lib/librte_bpf/bpf_validate.c +++ b/lib/librte_bpf/bpf_validate.c @@ -925,7 +925,6 @@ eval_func_arg(struct bpf_verifier *bvf, const struct rte_bpf_arg *arg, static const char * eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins) { - uint64_t msk; uint32_t i, idx; struct bpf_reg_val *rv; const struct rte_bpf_xsym *xsym; @@ -958,10 +957,11 @@ eval_call(struct bpf_verifier *bvf, const struct ebpf_insn *ins) rv = bvf->evst->rv + EBPF_REG_0; rv->v = xsym->func.ret; - msk = (rv->v.type == RTE_BPF_ARG_RAW) ? - RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t) : UINTPTR_MAX; - eval_max_bound(rv, msk); - rv->mask = msk; + if (rv->v.type == RTE_BPF_ARG_RAW) + eval_fill_max_bound(rv, + RTE_LEN2MASK(rv->v.size * CHAR_BIT, uint64_t)); + else if (RTE_BPF_ARG_PTR_TYPE(rv->v.type) != 0) + eval_fill_imm64(rv, UINTPTR_MAX, 0); return err; } -- 2.20.1