linux_old1/kernel/bpf
Alexei Starovoitov 687f07156b bpf: fix out of bounds access in verifier log
when the verifier log is enabled the print_bpf_insn() is doing
bpf_alu_string[BPF_OP(insn->code) >> 4]
and
bpf_jmp_string[BPF_OP(insn->code) >> 4]
where BPF_OP is a 4-bit instruction opcode.
Malformed insns can cause out of bounds access.
Fix it by sizing arrays appropriately.

The bug was found by clang address sanitizer with libfuzzer.

Reported-by: Yonghong Song <yhs@plumgrid.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-09-09 14:11:55 -07:00
..
Makefile ebpf: remove kernel test stubs 2015-03-01 14:05:18 -05:00
arraymap.c bpf: Add new bpf map type to store the pointer to struct perf_event 2015-08-09 22:50:05 -07:00
core.c bpf: Make the bpf_prog_array_map more generic 2015-08-09 22:50:05 -07:00
hashtab.c ebpf: constify various function pointer structs 2015-03-01 14:05:18 -05:00
helpers.c bpf: introduce current->pid, tgid, uid, gid, comm accessors 2015-06-15 15:53:50 -07:00
syscall.c ebpf: fix fd refcount leaks related to maps in bpf syscall 2015-09-09 12:39:34 -07:00
verifier.c bpf: fix out of bounds access in verifier log 2015-09-09 14:11:55 -07:00