diff options
| author | Alexei Starovoitov <[email protected]> | 2017-12-19 04:12:00 +0000 |
|---|---|---|
| committer | Daniel Borkmann <[email protected]> | 2017-12-21 01:15:41 +0000 |
| commit | bb7f0f989ca7de1153bd128a40a71709e339fa03 (patch) | |
| tree | 1667911dc70762b44fac20651cd8e23b73c257cf /lib/timerqueue.c | |
| parent | bpf: don't prune branches when a scalar is replaced with a pointer (diff) | |
| download | kernel-bb7f0f989ca7de1153bd128a40a71709e339fa03.tar.gz kernel-bb7f0f989ca7de1153bd128a40a71709e339fa03.zip | |
bpf: fix integer overflows
There were various issues related to the limited size of integers used in
the verifier:
- `off + size` overflow in __check_map_access()
- `off + reg->off` overflow in check_mem_access()
- `off + reg->var_off.value` overflow or 32-bit truncation of
`reg->var_off.value` in check_mem_access()
- 32-bit truncation in check_stack_boundary()
Make sure that any integer math cannot overflow by not allowing
pointer math with large values.
Also reduce the scope of "scalar op scalar" tracking.
Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Reported-by: Jann Horn <[email protected]>
Signed-off-by: Alexei Starovoitov <[email protected]>
Signed-off-by: Daniel Borkmann <[email protected]>
Diffstat (limited to 'lib/timerqueue.c')
0 files changed, 0 insertions, 0 deletions