On Tue, Nov 8, 2016 at 4:23 PM, Jann Horn <ja...@google.com> wrote: > In 484611357c19 (not in any stable kernel yet), functionality is > introduced that allows root (and afaics nobody else, since nobody else > is allowed to perform pointer arithmetic) to basically write to (and > read from) arbitrary kernel memory. There are multiple bugs in the > validation logic: >
I was curious, so I gave the code a quick read. I also see: + /* PTR_TO_MAP_VALUE_ADJ is used for doing pointer math inside of a map + * elem value. We only allow this if we can statically verify that + * access from this register are going to fall within the size of the + * map element. + */ + PTR_TO_MAP_VALUE_ADJ, shouldn't this document what logical type this is? Is it a pointer? Is it an offset? (It seems to be checked as though it's a pointer with a max offset of "max_value", which makes very little sense to me.) regs[i].min_value = BPF_REGISTER_MIN_RANGE; where min_value is a u64 and BPF_REGISTER_MIN_RANGE is negative. Shouldn't those be s64? init_reg_state() duplicates reset_reg_range_values(). That's all I've read so far.
