• Daniel Borkmann's avatar
    bpf: make unknown opcode handling more robust · 5e581dad
    Daniel Borkmann authored
    Recent findings by syzcaller fixed in 7891a87e ("bpf: arsh is
    not supported in 32 bit alu thus reject it") triggered a warning
    in the interpreter due to unknown opcode not being rejected by
    the verifier. The 'return 0' for an unknown opcode is really not
    optimal, since with BPF to BPF calls, this would go untracked by
    the verifier.
    
    Do two things here to improve the situation: i) perform basic insn
    sanity check early on in the verification phase and reject every
    non-uapi insn right there. The bpf_opcode_in_insntable() table
    reuses the same mapping as the jumptable in ___bpf_prog_run() sans
    the non-public mappings. And ii) in ___bpf_prog_run() we do need
    to BUG in the case where the verifier would ever create an unknown
    opcode due to some rewrites.
    
    Note that JITs do not have such issues since they would punt to
    interpreter in these situations. Moreover, the BPF_JIT_ALWAYS_ON
    would also help to avoid such unknown opcodes in the first place.
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    5e581dad
verifier.c 166 KB