On 6/25/15 5:47 AM, Xi Wang wrote:
Problems occur when bpf_to or bpf_from has value prog->len - 1 (e.g., "Very long jump backwards" in test_bpf where the last instruction is a jump): since ctx->offset has length prog->len, ctx->offset[bpf_to + 1] or ctx->offset[bpf_from + 1] will cause an out-of-bounds read, leading to a bogus jump offset and kernel panic.This patch moves updating ctx->offset to after calling build_insn(), and changes indexing to use bpf_to and bpf_from without + 1. Cc: Zi Shen Lim<zlim....@gmail.com> Cc: Alexei Starovoitov<a...@plumgrid.com> Cc: Will Deacon<will.dea...@arm.com> Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler") Signed-off-by: Xi Wang<xi.w...@gmail.com>
Nice catch! Looks good to me. Acked-by: Alexei Starovoitov <a...@plumgrid.com> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
