From patchwork Wed Apr 23 03:18:57 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexei Starovoitov X-Patchwork-Id: 341693 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 745F114009F for ; Wed, 23 Apr 2014 13:19:16 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753148AbaDWDTI (ORCPT ); Tue, 22 Apr 2014 23:19:08 -0400 Received: from mail-pb0-f50.google.com ([209.85.160.50]:57776 "EHLO mail-pb0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751154AbaDWDTC (ORCPT ); Tue, 22 Apr 2014 23:19:02 -0400 Received: by mail-pb0-f50.google.com with SMTP id md12so303122pbc.23 for ; Tue, 22 Apr 2014 20:19:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=pxkieMWv67Wd1mb+dZqbgh7/2pnLsY9NLSD1Ivmcwb0=; b=b6mDDLzLYsPvdtF3+GsepgoaBg7T6hrVy6+xWvL2443S4Wh6l4FmQe20f/fNkcFpE8 gZaXELCpEACVWTtYQli+TOzNACgfhsWby+Ssmqd1tPbnnqTSg+Q3B8+ZazrWFRB9gJId hTJGMzypPKeH8+xld+Ucxh1HIh/KgdciTsv/nEwNdkcWzT6pHiwpqtkd1rhAnDy5z9Qj OS+G6beoEW+UKsa7RnKp4jkmsdijfcr3uyzOnYLtCG9gDB622XWGhnzWdFrmytMu9fZZ YTrK51UPZqOf4T50vSx/VilFEucZr3ft3RgSM/zkl5eYClGhGH5WDWK6cdWtgiwz9xzi ov7g== X-Gm-Message-State: ALoCoQkw9gP6qbeRgFuCsFK48Ryw420560Uelj9AhtNJuWmD2VF0jpSz5YpuLPIVXl4iEv8Cm/GI X-Received: by 10.68.163.3 with SMTP id ye3mr50182572pbb.78.1398223141965; Tue, 22 Apr 2014 20:19:01 -0700 (PDT) Received: from pg-vmw-gw1.plumgrid.com ([67.21.3.149]) by mx.google.com with ESMTPSA id nh8sm15582108pbc.25.2014.04.22.20.19.00 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 22 Apr 2014 20:19:01 -0700 (PDT) From: Alexei Starovoitov To: "David S. Miller" Cc: Daniel Borkmann , netdev@vger.kernel.org Subject: [PATCH net] net: filter: initialize A and X registers Date: Tue, 22 Apr 2014 20:18:57 -0700 Message-Id: <1398223137-5463-1-git-send-email-ast@plumgrid.com> X-Mailer: git-send-email 1.7.9.5 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org exisiting BPF verifier allows uninitialized access to registers, 'ret A' is considered to be a valid filter. So initialize A and X to zero to prevent leaking kernel memory In the future BPF verifier will be rejecting such filters Signed-off-by: Alexei Starovoitov Cc: Daniel Borkmann Acked-by: Daniel Borkmann --- net/core/filter.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index cd58614..9d79ca0 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -122,6 +122,13 @@ noinline u64 __bpf_call_base(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) return 0; } +/* Register mappings for user programs. */ +#define A_REG 0 +#define X_REG 7 +#define TMP_REG 8 +#define ARG2_REG 2 +#define ARG3_REG 3 + /** * __sk_run_filter - run a filter on a given context * @ctx: buffer to run the filter on @@ -242,6 +249,8 @@ unsigned int __sk_run_filter(void *ctx, const struct sock_filter_int *insn) regs[FP_REG] = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; regs[ARG1_REG] = (u64) (unsigned long) ctx; + regs[A_REG] = 0; + regs[X_REG] = 0; select_insn: goto *jumptable[insn->code]; @@ -643,13 +652,6 @@ static u64 __get_raw_cpu_id(u64 ctx, u64 A, u64 X, u64 r4, u64 r5) return raw_smp_processor_id(); } -/* Register mappings for user programs. */ -#define A_REG 0 -#define X_REG 7 -#define TMP_REG 8 -#define ARG2_REG 2 -#define ARG3_REG 3 - static bool convert_bpf_extensions(struct sock_filter *fp, struct sock_filter_int **insnp) {