On the architectures that use bpf_jit_needs_zext(), e.g., s390x, the
verifier incorrectly inserts a zero-extension after BPF_MEMSX, leading
to miscompilations like the one below:
24: 89 1a ff fe 00 00 00 00 "r1 = *(s16 *)(r10 - 2);" # zext_dst set
0x3ff7fdb910e: lgh %r2,-2(%r13,%r0) # load halfword
0x3ff7fdb9114: llgfr %r2,%r2 # wrong!
25: 65 10 00 03 00 00 7f ff if r1 s> 32767 goto +3 <l0_1> # check_cond_jmp_op()
Disable such zero-extensions. The JITs need to insert sign-extension
themselves, if necessary.
Signed-off-by: Ilya Leoshkevich <iii@xxxxxxxxxxxxx>
---
kernel/bpf/verifier.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index bb78212fa5b2..097985a46edc 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3110,7 +3110,9 @@ static void mark_insn_zext(struct bpf_verifier_env *env,
{
s32 def_idx = reg->subreg_def;
- if (def_idx == DEF_NOT_SUBREG)
+ if (def_idx == DEF_NOT_SUBREG ||
+ (BPF_CLASS(env->prog->insnsi[def_idx - 1].code) == BPF_LDX &&
+ BPF_MODE(env->prog->insnsi[def_idx - 1].code) == BPF_MEMSX))
return;
env->insn_aux_data[def_idx - 1].zext_dst = true;
--
2.41.0
