Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7]: src/sys/net Pull up following revision(s) (requested by alnsn...
details: https://anonhg.NetBSD.org/src/rev/4c6b30bfb8a5
branches: netbsd-7
changeset: 798991:4c6b30bfb8a5
user: martin <martin%NetBSD.org@localhost>
date: Mon Feb 16 20:48:40 2015 +0000
description:
Pull up following revision(s) (requested by alnsn in ticket #519):
sys/net/bpfjit.c: revision 1.39-1.41
Fix bugs found by afl fuzzer http://lcamtuf.coredump.cx/afl/.
-
Don't emit wrapped-around reads. They're dead code but dead code elimination
logic isn't smart enough to figure it out.
-
Properly track initialisation of registers for BPF_JMP instructions.
diffstat:
sys/net/bpfjit.c | 84 +++++++++++++++++++++++++++++++++----------------------
1 files changed, 50 insertions(+), 34 deletions(-)
diffs (163 lines):
diff -r 1319fd36d5ab -r 4c6b30bfb8a5 sys/net/bpfjit.c
--- a/sys/net/bpfjit.c Mon Feb 16 14:09:50 2015 +0000
+++ b/sys/net/bpfjit.c Mon Feb 16 20:48:40 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bpfjit.c,v 1.32 2014/07/26 11:23:46 alnsn Exp $ */
+/* $NetBSD: bpfjit.c,v 1.32.2.1 2015/02/16 20:48:40 martin Exp $ */
/*-
* Copyright (c) 2011-2014 Alexander Nasonov.
@@ -31,9 +31,9 @@
#include <sys/cdefs.h>
#ifdef _KERNEL
-__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.32 2014/07/26 11:23:46 alnsn Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpfjit.c,v 1.32.2.1 2015/02/16 20:48:40 martin Exp $");
#else
-__RCSID("$NetBSD: bpfjit.c,v 1.32 2014/07/26 11:23:46 alnsn Exp $");
+__RCSID("$NetBSD: bpfjit.c,v 1.32.2.1 2015/02/16 20:48:40 martin Exp $");
#endif
#include <sys/types.h>
@@ -290,15 +290,10 @@
{
switch (BPF_SIZE(pc->code)) {
- case BPF_W:
- return 4;
- case BPF_H:
- return 2;
- case BPF_B:
- return 1;
- default:
- BJ_ASSERT(false);
- return 0;
+ case BPF_W: return 4;
+ case BPF_H: return 2;
+ case BPF_B: return 1;
+ default: return 0;
}
}
@@ -839,6 +834,8 @@
ld_reg = BJ_BUF;
width = read_width(pc);
+ if (width == 0)
+ return SLJIT_ERR_ALLOC_FAILED;
if (BPF_MODE(pc->code) == BPF_IND) {
/* tmp1 = buflen - (pc->k + width); */
@@ -871,21 +868,28 @@
return SLJIT_ERR_ALLOC_FAILED;
}
- switch (width) {
- case 4:
- status = emit_read32(compiler, ld_reg, k);
- break;
- case 2:
- status = emit_read16(compiler, ld_reg, k);
- break;
- case 1:
- status = emit_read8(compiler, ld_reg, k);
- break;
+ /*
+ * Don't emit wrapped-around reads. They're dead code but
+ * dead code elimination logic isn't smart enough to figure
+ * it out.
+ */
+ if (k <= UINT32_MAX - width + 1) {
+ switch (width) {
+ case 4:
+ status = emit_read32(compiler, ld_reg, k);
+ break;
+ case 2:
+ status = emit_read16(compiler, ld_reg, k);
+ break;
+ case 1:
+ status = emit_read8(compiler, ld_reg, k);
+ break;
+ }
+
+ if (status != SLJIT_SUCCESS)
+ return status;
}
- if (status != SLJIT_SUCCESS)
- return status;
-
#ifdef _KERNEL
over_mchain_jump = sljit_emit_jump(compiler, SLJIT_JUMP);
if (over_mchain_jump == NULL)
@@ -1195,12 +1199,15 @@
case BPF_LD:
rv = BPF_MODE(pc->code) == BPF_ABS ||
BPF_MODE(pc->code) == BPF_IND;
- if (rv)
+ if (rv) {
width = read_width(pc);
+ rv = (width != 0);
+ }
break;
case BPF_LDX:
- rv = pc->code == (BPF_LDX|BPF_B|BPF_MSH);
+ rv = BPF_MODE(pc->code) == BPF_MSH &&
+ BPF_SIZE(pc->code) == BPF_B;
width = 1;
break;
}
@@ -1372,6 +1379,13 @@
/* Initialize abc_length for ABC pass. */
insn_dat[i].u.jdata.abc_length = MAX_ABC_LENGTH;
+ *initmask |= invalid & BJ_INIT_ABIT;
+
+ if (BPF_SRC(insns[i].code) == BPF_X) {
+ *hints |= BJ_HINT_XREG;
+ *initmask |= invalid & BJ_INIT_XBIT;
+ }
+
if (BPF_OP(insns[i].code) == BPF_JA) {
jt = jf = insns[i].k;
} else {
@@ -1550,6 +1564,7 @@
static int
bpf_alu_to_sljit_op(const struct bpf_insn *pc)
{
+ const int bad = SLJIT_UNUSED;
/*
* Note: all supported 64bit arches have 32bit multiply
@@ -1561,11 +1576,10 @@
case BPF_MUL: return SLJIT_MUL|SLJIT_INT_OP;
case BPF_OR: return SLJIT_OR;
case BPF_AND: return SLJIT_AND;
- case BPF_LSH: return SLJIT_SHL;
- case BPF_RSH: return SLJIT_LSHR|SLJIT_INT_OP;
+ case BPF_LSH: return (pc->k > 31) ? bad : SLJIT_SHL;
+ case BPF_RSH: return (pc->k > 31) ? bad : SLJIT_LSHR|SLJIT_INT_OP;
default:
- BJ_ASSERT(false);
- return 0;
+ return bad;
}
}
@@ -1885,10 +1899,12 @@
}
if (BPF_OP(pc->code) != BPF_DIV) {
+ const int op2 = bpf_alu_to_sljit_op(pc);
+
+ if (op2 == SLJIT_UNUSED)
+ goto fail;
status = sljit_emit_op2(compiler,
- bpf_alu_to_sljit_op(pc),
- BJ_AREG, 0,
- BJ_AREG, 0,
+ op2, BJ_AREG, 0, BJ_AREG, 0,
kx_to_reg(pc), kx_to_reg_arg(pc));
if (status != SLJIT_SUCCESS)
goto fail;
Home |
Main Index |
Thread Index |
Old Index