• Piotr Krysiuk's avatar
    bpf, x86: Validate computation of branch displacements for x86-32 · 26f55a59
    Piotr Krysiuk authored
    The branch displacement logic in the BPF JIT compilers for x86 assumes
    that, for any generated branch instruction, the distance cannot
    increase between optimization passes.
    
    But this assumption can be violated due to how the distances are
    computed. Specifically, whenever a backward branch is processed in
    do_jit(), the distance is computed by subtracting the positions in the
    machine code from different optimization passes. This is because part
    of addrs[] is already updated for the current optimization pass, before
    the branch instruction is visited.
    
    And so the optimizer can expand blocks of machine code in some cases.
    
    This can confuse the optimizer logic, where it assumes that a fixed
    point has been reached for all machine code blocks once the total
    program size stops changing. And then the JIT compiler can output
    abnormal machine code containing incorrect branch displacements.
    
    To mitigate this issue, we assert that a fixed point is reached while
    populating the output image. This rejects any problematic programs.
    The issue affects both x86-32 and x86-64. We mitigate separately to
    ease backporting.
    Signed-off-by: default avatarPiotr Krysiuk <piotras@gmail.com>
    Reviewed-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    26f55a59
bpf_jit_comp32.c 61.2 KB