Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751738AbbFYO0l (ORCPT ); Thu, 25 Jun 2015 10:26:41 -0400 Received: from foss.arm.com ([217.140.101.70]:57297 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750968AbbFYO0d (ORCPT ); Thu, 25 Jun 2015 10:26:33 -0400 Date: Thu, 25 Jun 2015 15:26:29 +0100 From: Catalin Marinas To: Xi Wang Cc: linux-arm-kernel@lists.infradead.org, Zi Shen Lim , Will Deacon , linux-kernel@vger.kernel.org, Alexei Starovoitov Subject: Re: [PATCH] arm64: bpf: fix out-of-bounds read in bpf2a64_offset() Message-ID: <20150625142628.GA10127@e104818-lin.cambridge.arm.com> References: <1435236459-15141-1-git-send-email-xi.wang@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1435236459-15141-1-git-send-email-xi.wang@gmail.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1026 Lines: 25 On Thu, Jun 25, 2015 at 05:47:39AM -0700, Xi Wang wrote: > Problems occur when bpf_to or bpf_from has value prog->len - 1 (e.g., > "Very long jump backwards" in test_bpf where the last instruction is a > jump): since ctx->offset has length prog->len, ctx->offset[bpf_to + 1] > or ctx->offset[bpf_from + 1] will cause an out-of-bounds read, leading > to a bogus jump offset and kernel panic. > > This patch moves updating ctx->offset to after calling build_insn(), > and changes indexing to use bpf_to and bpf_from without + 1. > > Cc: Zi Shen Lim > Cc: Alexei Starovoitov > Cc: Will Deacon > Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler") > Signed-off-by: Xi Wang Thanks. Applied. -- Catalin -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/