On Mon, Oct 08, 2018 at 10:59:33AM +0200, Daniel Borkmann wrote:
> From: Jann Horn <jannh@xxxxxxxxxx>
>
> [ upstream commit b799207e1e1816b09e7a5920fbb2d5fcf6edd681 ]
>
> When I wrote commit 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification"), I
> assumed that, in order to emulate 64-bit arithmetic with 32-bit logic, it
> is sufficient to just truncate the output to 32 bits; and so I just moved
> the register size coercion that used to be at the start of the function to
> the end of the function.
>
> That assumption is true for almost every op, but not for 32-bit right
> shifts, because those can propagate information towards the least
> significant bit. Fix it by always truncating inputs for 32-bit ops to 32
> bits.
>
> Also get rid of the coerce_reg_to_size() after the ALU op, since that has
> no effect.
Applied, thanks.
greg k-h
