linux/arch
Daniel Borkmann d8b54110ee bpf, arm64: fix faulty emission of map access in tail calls
Shubham was recently asking on netdev why in arm64 JIT we don't multiply
the index for accessing the tail call map by 8. That led me into testing
out arm64 JIT wrt tail calls and it turned out I got a NULL pointer
dereference on the tail call.

The buggy access is at:

  prog = array->ptrs[index];
  if (prog == NULL)
      goto out;

  [...]
  00000060:  d2800e0a  mov x10, #0x70 // #112
  00000064:  f86a682a  ldr x10, [x1,x10]
  00000068:  f862694b  ldr x11, [x10,x2]
  0000006c:  b40000ab  cbz x11, 0x00000080
  [...]

The code triggering the crash is f862694b. x1 at the time contains the
address of the bpf array, x10 offsetof(struct bpf_array, ptrs). Meaning,
above we load the pointer to the program at map slot 0 into x10. x10
can then be NULL if the slot is not occupied, which we later on try to
access with a user given offset in x2 that is the map index.

Fix this by emitting the following instead:

  [...]
  00000060:  d2800e0a  mov x10, #0x70 // #112
  00000064:  8b0a002a  add x10, x1, x10
  00000068:  d37df04b  lsl x11, x2, #3
  0000006c:  f86b694b  ldr x11, [x10,x11]
  00000070:  b40000ab  cbz x11, 0x00000084
  [...]

This basically adds the offset to ptrs to the base address of the bpf
array we got and we later on access the map with an index * 8 offset
relative to that. The tail call map itself is basically one large area
with meta data at the head followed by the array of prog pointers.
This makes tail calls working again, tested on Cavium ThunderX ARMv8.

Fixes: ddb55992b0 ("arm64: bpf: implement bpf_tail_call() helper")
Reported-by: Shubham Bansal <illusionist.neo@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-05-11 12:41:31 -04:00
..
alpha Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00
arc ARC updates for 4.12 2017-05-09 10:10:15 -07:00
arm dmaengine updates for 4.12-rc1 2017-05-09 15:40:28 -07:00
arm64 bpf, arm64: fix faulty emission of map access in tail calls 2017-05-11 12:41:31 -04:00
blackfin blackfin: bf609: let clk_disable() return immediately if clk is NULL 2017-05-03 15:52:07 -07:00
c6x Merge branch 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 22:07:51 -07:00
cris pci-v4.12-changes 2017-05-08 19:03:25 -07:00
frv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00
h8300 Merge branch 'work.uaccess' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-05-01 14:41:04 -07:00
hexagon Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 16:15:18 -07:00
ia64 pci-v4.12-changes 2017-05-08 19:03:25 -07:00
m32r Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00
m68k scripts/spelling.txt: add regsiter -> register spelling mistake 2017-05-08 17:15:13 -07:00
metag Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2017-05-02 15:53:46 -07:00
microblaze pci-v4.12-changes 2017-05-08 19:03:25 -07:00
mips pci-v4.12-changes 2017-05-08 19:03:25 -07:00
mn10300 pci-v4.12-changes 2017-05-08 19:03:25 -07:00
nios2 Merge branch 'work.uaccess' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-05-01 14:41:04 -07:00
openrisc
parisc pci-v4.12-changes 2017-05-08 19:03:25 -07:00
powerpc pci-v4.12-changes 2017-05-08 19:03:25 -07:00
s390 Merge branch 'akpm' (patches from Andrew) 2017-05-08 18:17:56 -07:00
score Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 16:15:18 -07:00
sh pci-v4.12-changes 2017-05-08 19:03:25 -07:00
sparc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc 2017-05-09 15:48:29 -07:00
tile Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 16:15:18 -07:00
um Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-05-01 23:54:56 -07:00
unicore32 pci-v4.12-changes 2017-05-08 19:03:25 -07:00
x86 IOMMU Updates for Linux v4.12 2017-05-09 15:15:47 -07:00
xtensa pci-v4.12-changes 2017-05-08 19:03:25 -07:00
.gitignore
Kconfig crash: move crashkernel parsing and vmcore related code under CONFIG_CRASH_CORE 2017-05-08 17:15:11 -07:00