bpf: fix out of bounds access in verifier log
when the verifier log is enabled the print_bpf_insn() is doing bpf_alu_string[BPF_OP(insn->code) >> 4] and bpf_jmp_string[BPF_OP(insn->code) >> 4] where BPF_OP is a 4-bit instruction opcode. Malformed insns can cause out of bounds access. Fix it by sizing arrays appropriately. The bug was found by clang address sanitizer with libfuzzer. Reported-by: Yonghong Song <yhs@plumgrid.com> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
6b9ea5a64e
commit
687f07156b
1 changed files with 2 additions and 2 deletions
|
@ -283,7 +283,7 @@ static const char *const bpf_class_string[] = {
|
|||
[BPF_ALU64] = "alu64",
|
||||
};
|
||||
|
||||
static const char *const bpf_alu_string[] = {
|
||||
static const char *const bpf_alu_string[16] = {
|
||||
[BPF_ADD >> 4] = "+=",
|
||||
[BPF_SUB >> 4] = "-=",
|
||||
[BPF_MUL >> 4] = "*=",
|
||||
|
@ -307,7 +307,7 @@ static const char *const bpf_ldst_string[] = {
|
|||
[BPF_DW >> 3] = "u64",
|
||||
};
|
||||
|
||||
static const char *const bpf_jmp_string[] = {
|
||||
static const char *const bpf_jmp_string[16] = {
|
||||
[BPF_JA >> 4] = "jmp",
|
||||
[BPF_JEQ >> 4] = "==",
|
||||
[BPF_JGT >> 4] = ">",
|
||||
|
|
Loading…
Reference in a new issue