[dpdk-dev] [Bug 298] BPF: eval_call() is messing bounds of return types different of RTE_BPF_ARG_RAW

bugzilla at dpdk.org bugzilla at dpdk.org
Thu Jun 27 16:58:31 CEST 2019

Previous message: [dpdk-dev] [PATCH] cryptodev: free memzone when releasing cryptodev
Next message: [dpdk-dev] [PATCH] net/mlx5: fix 32-bit build
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

https://bugs.dpdk.org/show_bug.cgi?id=298

            Bug ID: 298
           Summary: BPF: eval_call() is messing bounds of return types
                    different of RTE_BPF_ARG_RAW
           Product: DPDK
           Version: 19.08
          Hardware: All
                OS: All
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: other
          Assignee: dev at dpdk.org
          Reporter: michel at digirati.com.br
  Target Milestone: ---

Created attachment 42
  --> https://bugs.dpdk.org/attachment.cgi?id=42&action=edit
Patch eval_call() in lib/librte_bpf/bpf_validate.c

eval_call() in lib/librte_bpf/bpf_validate.c calls eval_max_bound() on the BPF
return value for all types. This makes the verifier fails when a BPF helper
function returns a pointer that is later dereferenced. The error message when
this happens should be similar to this one: evaluate: memory boundary violation
at pc: 7.

evaluate() in the same file only calls eval_max_bound() on the parameter of the
BPF program when its type is RTE_BPF_ARG_RAW. Based on this knowledge, I tested
the attached patch and it works. But I'm not knowledgable enough on librte_bpf
to know if this is the correct way to solve this problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Previous message: [dpdk-dev] [PATCH] cryptodev: free memzone when releasing cryptodev
Next message: [dpdk-dev] [PATCH] net/mlx5: fix 32-bit build
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list