On Thu, Sep 14, 2017 at 11:14 AM, David Miller <da...@davemloft.net> wrote: > From: Edward Cree <ec...@solarflare.com> > Date: Thu, 14 Sep 2017 18:53:17 +0100 > >> Is BPF_END supposed to only be used with BPF_ALU, never with BPF_ALU64?
Yes, only BPF_ALU. The below is LLVM bpf swap insn encoding: ... // bswap16, bswap32, bswap64 class BSWAP ... ... let op = 0xd; // BPF_END let BPFSrc = 1; // BPF_TO_BE (TODO: use BPF_TO_LE for big-endian target) let BPFClass = 4; // BPF_ALU ... >> In kernel/bpf/core.c:___bpf_prog_run(), there are only jump table targets >> for the BPF_ALU case, not for the BPF_ALU64 case (opcodes 0xd7 and 0xdf). >> But the verifier doesn't enforce this; by crafting a program that uses >> these opcodes I can get a WARN when they're run (without JIT; it looks >> like the x86 JIT, at least, won't like it either). >> Proposed patch below the cut; build-tested only. > > Good catch. > > A really neat test would be a program that uploads random BPF programs > into the kernel, in a syzkaller'ish way. It might have triggered this > (eventually). >
