You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi developers,
We have identified a flaw in the ubpf_interpreter, which may lead to undefined behavior.
Description
When encountering BPF_XCHG or BPF_CMPXCHG, the ubpf_interpreter and ubpf_jit may behave differently. According to the Linux kernel documentation, the BPF_FETCH flag should always be set for complex atomic operations. However, the ubpf_interpreter accepts instructions such as BPF_XCHG even if the BPF_FETCH flag is not set. The interpreter executes the instruction without modifying the source operand. Meanwhile, ubpf_jit does not check the BPF_FETCH flag and defaults to using lock xchg on x86.
The attached file contains the BPF bytecode, which will cause invalid memory access. It should fail to execute with ubpf_interpreter due to the BPF_XCHG instruction, but instead, it runs successfully. And finally, it causes a segmentation fault after ubpf_jit’s translation.
Thanks for reporting this. The intent is that uBPF is only used to execute trusted byte code. Can you clarify what verifier you used to check the code for correctness before executing it?
Hi developers,
We have identified a flaw in the ubpf_interpreter, which may lead to undefined behavior.
Description
When encountering BPF_XCHG or BPF_CMPXCHG, the ubpf_interpreter and ubpf_jit may behave differently. According to the Linux kernel documentation, the BPF_FETCH flag should always be set for complex atomic operations. However, the ubpf_interpreter accepts instructions such as BPF_XCHG even if the BPF_FETCH flag is not set. The interpreter executes the instruction without modifying the source operand. Meanwhile, ubpf_jit does not check the BPF_FETCH flag and defaults to using lock xchg on x86.
The attached file contains the BPF bytecode, which will cause invalid memory access. It should fail to execute with ubpf_interpreter due to the BPF_XCHG instruction, but instead, it runs successfully. And finally, it causes a segmentation fault after ubpf_jit’s translation.
bytecode&harness.zip
Stack Dump
# 0 ubpf_exec_ex (vm=0x611000000040, mem=0x631000014800, mem_len=65536, bpf_return_value=0x7fffffffe180, stack_start=0x621000000100 "", stack_length=4096)
# 1 0x000055555565e9b1 in call_ubpf_interpreter (program_code=std::vector of length 48, capacity 64 = {...}, memory=std::vector of length 65536, capacity 65536 = {...},
ubpf_stack=std::vector of length 4096, capacity 4096 = {...}, interpreter_result=@0x7fffffffe180: 0)
# 2 0x0000555555661dbf in main (argc=2, argv=0x7fffffffe4f8)
The text was updated successfully, but these errors were encountered: