This is a note to let you know that I've just added the patch titled
arm64: bpf: fix mod-by-zero case
to the 4.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
arm64-bpf-fix-mod-by-zero-case.patch
and it can be found in the queue-4.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 14e589ff4aa3f28a5424e92b6495ecb8950080f7 Mon Sep 17 00:00:00 2001
From: Zi Shen Lim <zlim.lnx@xxxxxxxxx>
Date: Wed, 4 Nov 2015 20:43:59 -0800
Subject: arm64: bpf: fix mod-by-zero case
From: Zi Shen Lim <zlim.lnx@xxxxxxxxx>
commit 14e589ff4aa3f28a5424e92b6495ecb8950080f7 upstream.
Turns out in the case of modulo by zero in a BPF program:
A = A % X; (X == 0)
the expected behavior is to terminate with return value 0.
The bug in JIT is exposed by a new test case [1].
[1] https://lkml.org/lkml/2015/11/4/499
Signed-off-by: Zi Shen Lim <zlim.lnx@xxxxxxxxx>
Reported-by: Yang Shi <yang.shi@xxxxxxxxxx>
Reported-by: Xi Wang <xi.wang@xxxxxxxxx>
CC: Alexei Starovoitov <ast@xxxxxxxxxxxx>
Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler")
Signed-off-by: Catalin Marinas <catalin.marinas@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/arm64/net/bpf_jit_comp.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -269,6 +269,8 @@ static int build_insn(const struct bpf_i
break;
case BPF_ALU | BPF_DIV | BPF_X:
case BPF_ALU64 | BPF_DIV | BPF_X:
+ case BPF_ALU | BPF_MOD | BPF_X:
+ case BPF_ALU64 | BPF_MOD | BPF_X:
{
const u8 r0 = bpf2a64[BPF_REG_0];
@@ -281,16 +283,19 @@ static int build_insn(const struct bpf_i
check_imm26(jmp_offset);
emit(A64_B(jmp_offset), ctx);
/* else */
- emit(A64_UDIV(is64, dst, dst, src), ctx);
+ switch (BPF_OP(code)) {
+ case BPF_DIV:
+ emit(A64_UDIV(is64, dst, dst, src), ctx);
+ break;
+ case BPF_MOD:
+ ctx->tmp_used = 1;
+ emit(A64_UDIV(is64, tmp, dst, src), ctx);
+ emit(A64_MUL(is64, tmp, tmp, src), ctx);
+ emit(A64_SUB(is64, dst, dst, tmp), ctx);
+ break;
+ }
break;
}
- case BPF_ALU | BPF_MOD | BPF_X:
- case BPF_ALU64 | BPF_MOD | BPF_X:
- ctx->tmp_used = 1;
- emit(A64_UDIV(is64, tmp, dst, src), ctx);
- emit(A64_MUL(is64, tmp, tmp, src), ctx);
- emit(A64_SUB(is64, dst, dst, tmp), ctx);
- break;
case BPF_ALU | BPF_LSH | BPF_X:
case BPF_ALU64 | BPF_LSH | BPF_X:
emit(A64_LSLV(is64, dst, dst, src), ctx);
Patches currently in stable-queue which might be from zlim.lnx@xxxxxxxxx are
queue-4.1/arm64-bpf-fix-mod-by-zero-case.patch
queue-4.1/arm64-bpf-fix-div-by-zero-case.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html