Commit e99688eb authored by Yonghong Song's avatar Yonghong Song Committed by Alexei Starovoitov
Browse files

bpf: Fix an array-index-out-of-bounds issue in disasm.c



syzbot reported an array-index-out-of-bounds when printing out bpf
insns. Further investigation shows the insn is illegal but
is printed out due to log level 1 or 2 before actual insn verification
in do_check().

This particular illegal insn is a MOVSX insn with offset value 2.
The legal offset value for MOVSX should be 8, 16 and 32.
The disasm sign-extension-size array index is calculated as
 (insn->off / 8) - 1
and offset value 2 gives an out-of-bound index -1.

Tighten the checking for MOVSX insn in disasm.c to avoid
array-index-out-of-bounds issue.

Reported-by: default avatar <syzbot+3758842a6c01012aa73b@syzkaller.appspotmail.com>
Fixes: f835bb62 ("bpf: Add kernel/bpftool asm support for new instructions")
Signed-off-by: default avatarYonghong Song <yonghong.song@linux.dev>
Acked-by: default avatarEduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20230731204534.1975311-1-yonghong.song@linux.dev


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 74bdfab4
Loading
Loading
Loading
Loading
+2 −1
Original line number Diff line number Diff line
@@ -162,7 +162,8 @@ static bool is_sdiv_smod(const struct bpf_insn *insn)

static bool is_movsx(const struct bpf_insn *insn)
{
	return BPF_OP(insn->code) == BPF_MOV && insn->off != 0;
	return BPF_OP(insn->code) == BPF_MOV &&
	       (insn->off == 8 || insn->off == 16 || insn->off == 32);
}

void print_bpf_insn(const struct bpf_insn_cbs *cbs,