• Daniel Borkmann's avatar
    bpf, arm64: fix jit branch offset related to ldimm64 · ddc665a4
    Daniel Borkmann authored
    When the instruction right before the branch destination is
    a 64 bit load immediate, we currently calculate the wrong
    jump offset in the ctx->offset[] array as we only account
    one instruction slot for the 64 bit load immediate although
    it uses two BPF instructions. Fix it up by setting the offset
    into the right slot after we incremented the index.
    
    Before (ldimm64 test 1):
    
      [...]
      00000020:  52800007  mov w7, #0x0 // #0
      00000024:  d2800060  mov x0, #0x3 // #3
      00000028:  d2800041  mov x1, #0x2 // #2
      0000002c:  eb01001f  cmp x0, x1
      00000030:  54ffff82  b.cs 0x00000020
      00000034:  d29fffe7  mov x7, #0xffff // #65535
      00000038:  f2bfffe7  movk x7, #0xffff, lsl #16
      0000003c:  f2dfffe7  movk x7, #0xffff, lsl #32
      00000040:  f2ffffe7  movk x7, #0xffff, lsl #48
      00000044:  d29dddc7  mov x7, #0xeeee // #61166
      00000048:  f2bdddc7  movk x7, #0xeeee, lsl #16
      0000004c:  f2ddddc7  movk x7, #0xeeee, lsl #32
      00000050:  f2fdddc7  movk x7, #0xeeee, lsl #48
      [...]
    
    After (ldimm64 test 1):
    
      [...]
      00000020:  52800007  mov w7, #0x0 // #0
      00000024:  d2800060  mov x0, #0x3 // #3
      00000028:  d2800041  mov x1, #0x2 // #2
      0000002c:  eb01001f  cmp x0, x1
      00000030:  540000a2  b.cs 0x00000044
      00000034:  d29fffe7  mov x7, #0xffff // #65535
      00000038:  f2bfffe7  movk x7, #0xffff, lsl #16
      0000003c:  f2dfffe7  movk x7, #0xffff, lsl #32
      00000040:  f2ffffe7  movk x7, #0xffff, lsl #48
      00000044:  d29dddc7  mov x7, #0xeeee // #61166
      00000048:  f2bdddc7  movk x7, #0xeeee, lsl #16
      0000004c:  f2ddddc7  movk x7, #0xeeee, lsl #32
      00000050:  f2fdddc7  movk x7, #0xeeee, lsl #48
      [...]
    
    Also, add a couple of test cases to make sure JITs pass
    this test. Tested on Cavium ThunderX ARMv8. The added
    test cases all pass after the fix.
    
    Fixes: 8eee539d ("arm64: bpf: fix out-of-bounds read in bpf2a64_offset()")
    Reported-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Cc: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    ddc665a4
bpf_jit_comp.c 22.7 KB