From: Yonghong Song Date: Mon, 31 Jul 2023 20:45:34 +0000 (-0700) Subject: bpf: Fix an array-index-out-of-bounds issue in disasm.c X-Git-Tag: v6.6.7~2079^2~233^2~9 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e99688eba2e90a600956e936bc335ece902a5d7f;p=platform%2Fkernel%2Flinux-starfive.git bpf: Fix an array-index-out-of-bounds issue in disasm.c syzbot reported an array-index-out-of-bounds when printing out bpf insns. Further investigation shows the insn is illegal but is printed out due to log level 1 or 2 before actual insn verification in do_check(). This particular illegal insn is a MOVSX insn with offset value 2. The legal offset value for MOVSX should be 8, 16 and 32. The disasm sign-extension-size array index is calculated as (insn->off / 8) - 1 and offset value 2 gives an out-of-bound index -1. Tighten the checking for MOVSX insn in disasm.c to avoid array-index-out-of-bounds issue. Reported-by: syzbot+3758842a6c01012aa73b@syzkaller.appspotmail.com Fixes: f835bb622299 ("bpf: Add kernel/bpftool asm support for new instructions") Signed-off-by: Yonghong Song Acked-by: Eduard Zingerman Link: https://lore.kernel.org/r/20230731204534.1975311-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov --- diff --git a/kernel/bpf/disasm.c b/kernel/bpf/disasm.c index d7bff60..ef7c107 100644 --- a/kernel/bpf/disasm.c +++ b/kernel/bpf/disasm.c @@ -162,7 +162,8 @@ static bool is_sdiv_smod(const struct bpf_insn *insn) static bool is_movsx(const struct bpf_insn *insn) { - return BPF_OP(insn->code) == BPF_MOV && insn->off != 0; + return BPF_OP(insn->code) == BPF_MOV && + (insn->off == 8 || insn->off == 16 || insn->off == 32); } void print_bpf_insn(const struct bpf_insn_cbs *cbs,