On Tue, Jun 18, 2024 at 06:18:58PM GMT, Alexei Starovoitov wrote:
...
> +static int adjust_jmp_off(struct bpf_prog *prog, u32 tgt_idx, u32 delta)
> +{
> + struct bpf_insn *insn = prog->insnsi;
> + u32 insn_cnt = prog->len, i;
> +
> + for (i = 0; i < insn_cnt; i++, insn++) {
> + u8 code = insn->code;
> +
> + if ((BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32) ||
> + BPF_OP(code) == BPF_CALL || BPF_OP(code) == BPF_EXIT)
> + continue;
> +
> + if (insn->code == (BPF_JMP32 | BPF_JA)) {
> + if (i + 1 + insn->imm != tgt_idx)
> + continue;
> + if (signed_add32_overflows(insn->imm, delta))
> + return -ERANGE;
> + insn->imm += delta;
> + } else {
> + if (i + 1 + insn->off != tgt_idx)
> + continue;
> + if (signed_add16_overflows(insn->imm, delta))
Looks like this be signed_add16_overflows(insn->**off**, delta) instead?
I'll proceed assuming so, and include a fix for this in v3 of the
overflow-checker refactoring patch-set.
> + return -ERANGE;
> + insn->off += delta;
> + }
> + }
> + return 0;
> +}
...
