Commit 687f0715 authored by Alexei Starovoitov's avatar Alexei Starovoitov Committed by David S. Miller

bpf: fix out of bounds access in verifier log

when the verifier log is enabled the print_bpf_insn() is doing
bpf_alu_string[BPF_OP(insn->code) >> 4]
and
bpf_jmp_string[BPF_OP(insn->code) >> 4]
where BPF_OP is a 4-bit instruction opcode.
Malformed insns can cause out of bounds access.
Fix it by sizing arrays appropriately.

The bug was found by clang address sanitizer with libfuzzer.
Reported-by: default avatarYonghong Song <yhs@plumgrid.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 6b9ea5a6
...@@ -283,7 +283,7 @@ static const char *const bpf_class_string[] = { ...@@ -283,7 +283,7 @@ static const char *const bpf_class_string[] = {
[BPF_ALU64] = "alu64", [BPF_ALU64] = "alu64",
}; };
static const char *const bpf_alu_string[] = { static const char *const bpf_alu_string[16] = {
[BPF_ADD >> 4] = "+=", [BPF_ADD >> 4] = "+=",
[BPF_SUB >> 4] = "-=", [BPF_SUB >> 4] = "-=",
[BPF_MUL >> 4] = "*=", [BPF_MUL >> 4] = "*=",
...@@ -307,7 +307,7 @@ static const char *const bpf_ldst_string[] = { ...@@ -307,7 +307,7 @@ static const char *const bpf_ldst_string[] = {
[BPF_DW >> 3] = "u64", [BPF_DW >> 3] = "u64",
}; };
static const char *const bpf_jmp_string[] = { static const char *const bpf_jmp_string[16] = {
[BPF_JA >> 4] = "jmp", [BPF_JA >> 4] = "jmp",
[BPF_JEQ >> 4] = "==", [BPF_JEQ >> 4] = "==",
[BPF_JGT >> 4] = ">", [BPF_JGT >> 4] = ">",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment