On Mon, Jun 8, 2020 at 8:56 AM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote: > Couldn't you run into the case above where the passed offset is large enough > that start + offset goes beyond end pointer [and then above comparison is > performed as unsigned ..]? You are right. I missed that offset would be large and make start + offset > end, when I was trying to reason the offsets and overflows. I just checked that on x86_64 it emits a 'jg' instruction on x86_64, and the test I tried with offset = 0xffff does return -EFAULT. However, I searched around and saw that this is due to integer promotion of len and the test would fail (i.e. not returning -EFAULT) on x86_32 (I have not tested this). > (At least on x86-64, the 'ptr + len <= end' should > never have an issue [0].) Alright, I see that len is an ARG_CONST_SIZE, which would be checked by check_helper_mem_access, so it is bound by the stack size. So the argument against ptr >= start also applies here, correct? YiFei Zhu
