Breaks #76/u bounds check mixed 32bit and 64bit arithmetic. test2 On Thu, Sep 3, 2020 at 6:02 PM Yauheni Kaliuta <yauheni.kaliuta@xxxxxxxxxx> wrote: > > On code patching it may require to update branch destinations if the > code size changed. bpf_adj_delta_to_imm/off increments offset only > if the patched area is after the branch instruction. But it's > possible, that the patched area itself is a branch instruction and > requires destination update. > > The problem was triggered by bpf selftest > > test_progs -t global_funcs > > on s390, where the very first "call" instruction is patched from > verifier.c:opt_subreg_zext_lo32_rnd_hi32() with zext_patch. > > The patch includes current instruction to the condition check. > > Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@xxxxxxxxxx> > --- > kernel/bpf/core.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c > index ed0b3578867c..b0a9a22491a5 100644 > --- a/kernel/bpf/core.c > +++ b/kernel/bpf/core.c > @@ -340,7 +340,7 @@ static int bpf_adj_delta_to_imm(struct bpf_insn *insn, u32 pos, s32 end_old, > s32 delta = end_new - end_old; > s64 imm = insn->imm; > > - if (curr < pos && curr + imm + 1 >= end_old) > + if (curr <= pos && curr + imm + 1 >= end_old) > imm += delta; > else if (curr >= end_new && curr + imm + 1 < end_new) > imm -= delta; > @@ -358,7 +358,7 @@ static int bpf_adj_delta_to_off(struct bpf_insn *insn, u32 pos, s32 end_old, > s32 delta = end_new - end_old; > s32 off = insn->off; > > - if (curr < pos && curr + off + 1 >= end_old) > + if (curr <= pos && curr + off + 1 >= end_old) > off += delta; > else if (curr >= end_new && curr + off + 1 < end_new) > off -= delta; > -- > 2.26.2 > -- WBR, Yauheni
