Commit 89c63074 authored by Daniel Borkmann's avatar Daniel Borkmann Committed by David S. Miller

bpf: make htab inlining more robust wrt assumptions

Commit 9015d2f5 ("bpf: inline htab_map_lookup_elem()") was
making the assumption that a direct call emission to the function
__htab_map_lookup_elem() will always work out for JITs.

This is currently true since all JITs we have are for 64 bit archs,
but in case of 32 bit JITs like upcoming arm32, we get a NULL pointer
dereference when executing the call to __htab_map_lookup_elem()
since passed arguments are of a different size (due to pointer args)
than what we do out of BPF. Guard and thus limit this for now for
the current 64 bit JITs only.
Reported-by: default avatarShubham Bansal <illusionist.neo@gmail.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 06d0a11f
...@@ -4160,7 +4160,11 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) ...@@ -4160,7 +4160,11 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
continue; continue;
} }
if (ebpf_jit_enabled() && insn->imm == BPF_FUNC_map_lookup_elem) { /* BPF_EMIT_CALL() assumptions in some of the map_gen_lookup
* handlers are currently limited to 64 bit only.
*/
if (ebpf_jit_enabled() && BITS_PER_LONG == 64 &&
insn->imm == BPF_FUNC_map_lookup_elem) {
map_ptr = env->insn_aux_data[i + delta].map_ptr; map_ptr = env->insn_aux_data[i + delta].map_ptr;
if (map_ptr == BPF_MAP_PTR_POISON || if (map_ptr == BPF_MAP_PTR_POISON ||
!map_ptr->ops->map_gen_lookup) !map_ptr->ops->map_gen_lookup)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment