linux-sg2042/arch
Daniel Borkmann ddc665a4bb bpf, arm64: fix jit branch offset related to ldimm64
When the instruction right before the branch destination is
a 64 bit load immediate, we currently calculate the wrong
jump offset in the ctx->offset[] array as we only account
one instruction slot for the 64 bit load immediate although
it uses two BPF instructions. Fix it up by setting the offset
into the right slot after we incremented the index.

Before (ldimm64 test 1):

  [...]
  00000020:  52800007  mov w7, #0x0 // #0
  00000024:  d2800060  mov x0, #0x3 // #3
  00000028:  d2800041  mov x1, #0x2 // #2
  0000002c:  eb01001f  cmp x0, x1
  00000030:  54ffff82  b.cs 0x00000020
  00000034:  d29fffe7  mov x7, #0xffff // #65535
  00000038:  f2bfffe7  movk x7, #0xffff, lsl #16
  0000003c:  f2dfffe7  movk x7, #0xffff, lsl #32
  00000040:  f2ffffe7  movk x7, #0xffff, lsl #48
  00000044:  d29dddc7  mov x7, #0xeeee // #61166
  00000048:  f2bdddc7  movk x7, #0xeeee, lsl #16
  0000004c:  f2ddddc7  movk x7, #0xeeee, lsl #32
  00000050:  f2fdddc7  movk x7, #0xeeee, lsl #48
  [...]

After (ldimm64 test 1):

  [...]
  00000020:  52800007  mov w7, #0x0 // #0
  00000024:  d2800060  mov x0, #0x3 // #3
  00000028:  d2800041  mov x1, #0x2 // #2
  0000002c:  eb01001f  cmp x0, x1
  00000030:  540000a2  b.cs 0x00000044
  00000034:  d29fffe7  mov x7, #0xffff // #65535
  00000038:  f2bfffe7  movk x7, #0xffff, lsl #16
  0000003c:  f2dfffe7  movk x7, #0xffff, lsl #32
  00000040:  f2ffffe7  movk x7, #0xffff, lsl #48
  00000044:  d29dddc7  mov x7, #0xeeee // #61166
  00000048:  f2bdddc7  movk x7, #0xeeee, lsl #16
  0000004c:  f2ddddc7  movk x7, #0xeeee, lsl #32
  00000050:  f2fdddc7  movk x7, #0xeeee, lsl #48
  [...]

Also, add a couple of test cases to make sure JITs pass
this test. Tested on Cavium ThunderX ARMv8. The added
test cases all pass after the fix.

Fixes: 8eee539dde ("arm64: bpf: fix out-of-bounds read in bpf2a64_offset()")
Reported-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Cc: Xi Wang <xi.wang@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-05-02 15:04:50 -04:00
..
alpha Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-15 21:16:30 -04:00
arc ARCv2: entry: save Accumulator register pair (r58:59) if present 2017-04-20 15:37:49 -07:00
arm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-20 10:35:33 -04:00
arm64 bpf, arm64: fix jit branch offset related to ldimm64 2017-05-02 15:04:50 -04:00
avr32 New getsockopt option to get socket cookie 2017-04-08 08:07:01 -07:00
blackfin sched/headers: Move task->mm handling methods to <linux/sched/mm.h> 2017-03-03 01:43:28 +01:00
c6x Merge branch 'regset' (PTRACE_SETREGSET data leakage) 2017-03-29 08:55:25 -07:00
cris Merge branch 'prep-for-5level' 2017-03-10 08:59:07 -08:00
frv New getsockopt option to get socket cookie 2017-04-08 08:07:01 -07:00
h8300 Merge branch 'regset' (PTRACE_SETREGSET data leakage) 2017-03-29 08:55:25 -07:00
hexagon arch, mm: convert all architectures to use 5level-fixup.h 2017-03-09 11:48:47 -08:00
ia64 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-15 21:16:30 -04:00
m32r New getsockopt option to get socket cookie 2017-04-08 08:07:01 -07:00
m68k m68k: Wire up statx 2017-03-20 11:27:28 +01:00
metag metag/usercopy: Fault handling fixes 2017-04-07 10:11:53 -07:00
microblaze arch, mm: convert all architectures to use 5level-fixup.h 2017-03-09 11:48:47 -08:00
mips Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-26 22:39:08 -04:00
mn10300 New getsockopt option to get socket cookie 2017-04-08 08:07:01 -07:00
nios2 nios2: reserve boot memory for device tree 2017-04-02 20:13:57 -07:00
openrisc openrisc: Export symbols needed by modules 2017-03-16 00:12:57 +09:00
parisc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-20 10:35:33 -04:00
powerpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-21 20:23:53 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-21 20:23:53 -07:00
score Fixup for arch/score after extable.h introduction 2017-03-11 14:16:50 -08:00
sh Merge branch 'prep-for-5level' 2017-03-10 08:59:07 -08:00
sparc sparc64: Fix BPF JIT wrt. branches and ldimm64 instructions. 2017-05-01 20:48:36 -07:00
tile arch, mm: convert all architectures to use 5level-fixup.h 2017-03-09 11:48:47 -08:00
um arch, mm: convert all architectures to use 5level-fixup.h 2017-03-09 11:48:47 -08:00
unicore32 arch, mm: convert all architectures to use 5level-fixup.h 2017-03-09 11:48:47 -08:00
x86 bpf, x86_64/arm64: remove old ldimm64 artifacts from jits 2017-04-28 15:48:14 -04:00
xtensa New getsockopt option to get socket cookie 2017-04-08 08:07:01 -07:00
.gitignore
Kconfig scripts/spelling.txt: add "an user" pattern and fix typo instances 2017-02-27 18:43:46 -08:00