On Thu, Jul 11, 2024 at 11:41 PM Shung-Hsi Yu <shung-hsi.yu@xxxxxxxx> wrote:
>
> On Tue, Jun 18, 2024 at 06:18:58PM GMT, Alexei Starovoitov wrote:
> ...
> > +static int adjust_jmp_off(struct bpf_prog *prog, u32 tgt_idx, u32 delta)
> > +{
> > + struct bpf_insn *insn = prog->insnsi;
> > + u32 insn_cnt = prog->len, i;
> > +
> > + for (i = 0; i < insn_cnt; i++, insn++) {
> > + u8 code = insn->code;
> > +
> > + if ((BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32) ||
> > + BPF_OP(code) == BPF_CALL || BPF_OP(code) == BPF_EXIT)
> > + continue;
> > +
> > + if (insn->code == (BPF_JMP32 | BPF_JA)) {
> > + if (i + 1 + insn->imm != tgt_idx)
> > + continue;
> > + if (signed_add32_overflows(insn->imm, delta))
> > + return -ERANGE;
> > + insn->imm += delta;
> > + } else {
> > + if (i + 1 + insn->off != tgt_idx)
> > + continue;
> > + if (signed_add16_overflows(insn->imm, delta))
>
> Looks like this be signed_add16_overflows(insn->**off**, delta) instead?
>
> I'll proceed assuming so, and include a fix for this in v3 of the
> overflow-checker refactoring patch-set.
Ohh. Good catch. Thanks!
