bpf: fix out of bounds access in verifier log
authorAlexei Starovoitov <ast@plumgrid.com>
Tue, 8 Sep 2015 20:40:01 +0000 (13:40 -0700)
committerDavid S. Miller <davem@davemloft.net>
Wed, 9 Sep 2015 21:11:55 +0000 (14:11 -0700)
commit687f07156b0c99205c21aa4e2986564046d342fe
tree668c2682acff45a945833a56f80f8282a98ae8fd
parent6b9ea5a64ed5eeb3f68f2e6fcce0ed1179801d1e
bpf: fix out of bounds access in verifier log

when the verifier log is enabled the print_bpf_insn() is doing
bpf_alu_string[BPF_OP(insn->code) >> 4]
and
bpf_jmp_string[BPF_OP(insn->code) >> 4]
where BPF_OP is a 4-bit instruction opcode.
Malformed insns can cause out of bounds access.
Fix it by sizing arrays appropriately.

The bug was found by clang address sanitizer with libfuzzer.

Reported-by: Yonghong Song <yhs@plumgrid.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
kernel/bpf/verifier.c