kern/43185: bpf_validate() uses BPF_RVAL() when it should use BPF_SRC()

[guy%alum.mit.edu@localhost]

>Number:         43185
>Category:       kern
>Synopsis:       bpf_validate() uses BPF_RVAL() when it should use BPF_SRC()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 21 00:30:00 +0000 2010
>Originator:     Guy Harris
>Release:        current
>Organization:
>Environment:
>Description:
In bpf_validate, when it checks whether the divisor in a BPF_DIV instruction is 
a constant 0, it does

                        case BPF_DIV:
                                /*
                                 * Check for constant division by 0.
                                 */
                                if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
                                        return 0;
                                break;

BPF_RVAL() is the macro to get the return value of a RET instruction; it 
extracts the 0x18 bits.  The BPF_DIV opcode is 0x30, which has the 0x10 bit 
set; a BPF_DIV instruction with a constant 0 as the divisor would be 
BPF_DIV|BPF_K, which is 0x30; BPF_RVAL(p->code) would be 0x10, which isn't 
equal to BPF_K, which is 0x00.

The macro to get the source argument of an arithmetic instruction is BPF_SRC(), 
which extracts only the 0x08 bit; BPF_SRC(p->code) would be 0x00, which is 
equal to BPF_K, so it should be doing

                        case BPF_DIV:
                                /*
                                 * Check for constant division by 0.
                                 */
                                if (BPF_SRC(p->code) == BPF_K && p->k == 0)
                                        return 0;
                                break;
>How-To-Repeat:
Found by inspection.
>Fix:
See full description - change BPF_RVAL to BPF_SRC in that check.