CVS commit: [netbsd-7] src/sys/net

Martin Husemann Mon, 16 Feb 2015 12:49:05 -0800

Module Name:    src
Committed By:   martin
Date:           Mon Feb 16 20:48:40 UTC 2015


Modified Files:
        src/sys/net [netbsd-7]: bpfjit.c

Log Message:
Pull up following revision(s) (requested by alnsn in ticket #519):
        sys/net/bpfjit.c: revision 1.39-1.41
Fix bugs found by afl fuzzer http://lcamtuf.coredump.cx/afl/.
-
Don't emit wrapped-around reads. They're dead code but dead code elimination
logic isn't smart enough to figure it out.
-
Properly track initialisation of registers for BPF_JMP instructions.


To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.32.2.1 src/sys/net/bpfjit.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/bpfjit.c
diff -u src/sys/net/bpfjit.c:1.32 src/sys/net/bpfjit.c:1.32.2.1
--- src/sys/net/bpfjit.c:1.32	Sat Jul 26 11:23:46 2014
+++ src/sys/net/bpfjit.c	Mon Feb 16 20:48:40 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: bpfjit.c,v 1.32 2014/07/26 11:23:46 alnsn Exp $	*/
+/*	$NetBSD: bpfjit.c,v 1.32.2.1 2015/02/16 20:48:40 martin Exp $	*/
 
 /*-
  * Copyright (c) 2011-2014 Alexander Nasonov.
@@ -31,9 +31,9 @@
 
 #include <sys/cdefs.h>
 #ifdef _KERNEL
-__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.32 2014/07/26 11:23:46 alnsn Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.32.2.1 2015/02/16 20:48:40 martin Exp $");
 #else
-__RCSID("$NetBSD: bpfjit.c,v 1.32 2014/07/26 11:23:46 alnsn Exp $");
+__RCSID("$NetBSD: bpfjit.c,v 1.32.2.1 2015/02/16 20:48:40 martin Exp $");
 #endif
 
 #include <sys/types.h>
@@ -290,15 +290,10 @@ read_width(const struct bpf_insn *pc)
 {
 
 	switch (BPF_SIZE(pc->code)) {
-	case BPF_W:
-		return 4;
-	case BPF_H:
-		return 2;
-	case BPF_B:
-		return 1;
-	default:
-		BJ_ASSERT(false);
-		return 0;
+	case BPF_W: return 4;
+	case BPF_H: return 2;
+	case BPF_B: return 1;
+	default:    return 0;
 	}
 }
 
@@ -839,6 +834,8 @@ emit_pkt_read(struct sljit_compiler *com
 
 	ld_reg = BJ_BUF;
 	width = read_width(pc);
+	if (width == 0)
+		return SLJIT_ERR_ALLOC_FAILED;
 
 	if (BPF_MODE(pc->code) == BPF_IND) {
 		/* tmp1 = buflen - (pc->k + width); */
@@ -871,20 +868,27 @@ emit_pkt_read(struct sljit_compiler *com
 			return SLJIT_ERR_ALLOC_FAILED;
 	}
 
-	switch (width) {
-	case 4:
-		status = emit_read32(compiler, ld_reg, k);
-		break;
-	case 2:
-		status = emit_read16(compiler, ld_reg, k);
-		break;
-	case 1:
-		status = emit_read8(compiler, ld_reg, k);
-		break;
-	}
+	/*
+	 * Don't emit wrapped-around reads. They're dead code but
+	 * dead code elimination logic isn't smart enough to figure
+	 * it out.
+	 */
+	if (k <= UINT32_MAX - width + 1) {
+		switch (width) {
+		case 4:
+			status = emit_read32(compiler, ld_reg, k);
+			break;
+		case 2:
+			status = emit_read16(compiler, ld_reg, k);
+			break;
+		case 1:
+			status = emit_read8(compiler, ld_reg, k);
+			break;
+		}
 
-	if (status != SLJIT_SUCCESS)
-		return status;
+		if (status != SLJIT_SUCCESS)
+			return status;
+	}
 
 #ifdef _KERNEL
 	over_mchain_jump = sljit_emit_jump(compiler, SLJIT_JUMP);
@@ -1195,12 +1199,15 @@ read_pkt_insn(const struct bpf_insn *pc,
 	case BPF_LD:
 		rv = BPF_MODE(pc->code) == BPF_ABS ||
 		     BPF_MODE(pc->code) == BPF_IND;
-		if (rv)
+		if (rv) {
 			width = read_width(pc);
+			rv = (width != 0);
+		}
 		break;
 
 	case BPF_LDX:
-		rv = pc->code == (BPF_LDX|BPF_B|BPF_MSH);
+		rv = BPF_MODE(pc->code) == BPF_MSH &&
+		     BPF_SIZE(pc->code) == BPF_B;
 		width = 1;
 		break;
 	}
@@ -1372,6 +1379,13 @@ optimize_pass1(const bpf_ctx_t *bc, cons
 			/* Initialize abc_length for ABC pass. */
 			insn_dat[i].u.jdata.abc_length = MAX_ABC_LENGTH;
 
+			*initmask |= invalid & BJ_INIT_ABIT;
+
+			if (BPF_SRC(insns[i].code) == BPF_X) {
+				*hints |= BJ_HINT_XREG;
+				*initmask |= invalid & BJ_INIT_XBIT;
+			}
+
 			if (BPF_OP(insns[i].code) == BPF_JA) {
 				jt = jf = insns[i].k;
 			} else {
@@ -1550,6 +1564,7 @@ optimize(const bpf_ctx_t *bc, const stru
 static int
 bpf_alu_to_sljit_op(const struct bpf_insn *pc)
 {
+	const int bad = SLJIT_UNUSED;
 
 	/*
 	 * Note: all supported 64bit arches have 32bit multiply
@@ -1561,11 +1576,10 @@ bpf_alu_to_sljit_op(const struct bpf_ins
 	case BPF_MUL: return SLJIT_MUL|SLJIT_INT_OP;
 	case BPF_OR:  return SLJIT_OR;
 	case BPF_AND: return SLJIT_AND;
-	case BPF_LSH: return SLJIT_SHL;
-	case BPF_RSH: return SLJIT_LSHR|SLJIT_INT_OP;
+	case BPF_LSH: return (pc->k > 31) ? bad : SLJIT_SHL;
+	case BPF_RSH: return (pc->k > 31) ? bad : SLJIT_LSHR|SLJIT_INT_OP;
 	default:
-		BJ_ASSERT(false);
-		return 0;
+		return bad;
 	}
 }
 
@@ -1885,10 +1899,12 @@ generate_insn_code(struct sljit_compiler
 			}
 
 			if (BPF_OP(pc->code) != BPF_DIV) {
+				const int op2 = bpf_alu_to_sljit_op(pc);
+
+				if (op2 == SLJIT_UNUSED)
+					goto fail;
 				status = sljit_emit_op2(compiler,
-				    bpf_alu_to_sljit_op(pc),
-				    BJ_AREG, 0,
-				    BJ_AREG, 0,
+				    op2, BJ_AREG, 0, BJ_AREG, 0,
 				    kx_to_reg(pc), kx_to_reg_arg(pc));
 				if (status != SLJIT_SUCCESS)
 					goto fail;

CVS commit: [netbsd-7] src/sys/net

Reply via email to