Skip to content

Commit

Permalink
Fix - Verify imm not offset in CALL_IMM (#568)
Browse files Browse the repository at this point in the history
* Adds check_call_target() to verifier.

* Fixes fuzz_targets.
  • Loading branch information
Lichtso authored May 20, 2024
1 parent 0270240 commit 1988242
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 5 deletions.
2 changes: 1 addition & 1 deletion fuzz/fuzz_targets/smart_jit_diff.rs
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ fuzz_target!(|data: FuzzData| {
#[allow(unused)]
let (_interp_ins_count, interp_res) = interp_vm.execute_program(&executable, true);

#[cfg(all(feature = "jit", not(target_os = "windows"), target_arch = "x86_64"))]
#[cfg(all(not(target_os = "windows"), target_arch = "x86_64"))]
if executable.jit_compile().is_ok() {
let mut jit_mem = data.mem;
let mut jit_context_object = TestContextObject::new(1 << 16);
Expand Down
6 changes: 3 additions & 3 deletions fuzz/fuzz_targets/smarter_jit_diff.rs
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ fuzz_target!(|data: FuzzData| {
#[allow(unused)]
let (_interp_ins_count, interp_res) = interp_vm.execute_program(&executable, true);

#[cfg(all(feature = "jit", not(target_os = "windows"), target_arch = "x86_64"))]
#[cfg(all(not(target_os = "windows"), target_arch = "x86_64"))]
if executable.jit_compile().is_ok() {
let mut jit_mem = data.mem;
let mut jit_context_object = TestContextObject::new(1 << 16);
Expand All @@ -85,8 +85,8 @@ fuzz_target!(|data: FuzzData| {
let (_jit_ins_count, jit_res) = jit_vm.execute_program(&executable, false);
if format!("{:?}", interp_res) != format!("{:?}", jit_res) {
// spot check: there's a meaningless bug where ExceededMaxInstructions is different due to jump calculations
if interp_res_str.contains("ExceededMaxInstructions")
&& jit_res_str.contains("ExceededMaxInstructions")
if format!("{:?}", interp_res).contains("ExceededMaxInstructions")
&& format!("{:?}", jit_res).contains("ExceededMaxInstructions")
{
return;
}
Expand Down
12 changes: 11 additions & 1 deletion src/verifier.rs
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,16 @@ fn check_jmp_offset(
Ok(())
}

fn check_call_target(
key: u32,
function_registry: &FunctionRegistry<usize>,
) -> Result<(), VerifierError> {
function_registry
.lookup_by_key(key)
.map(|_| ())
.ok_or(VerifierError::InvalidFunction(key as usize))
}

fn check_registers(
insn: &ebpf::Insn,
store: bool,
Expand Down Expand Up @@ -371,7 +381,7 @@ impl Verifier for RequisiteVerifier {
ebpf::JSLT_REG => { check_jmp_offset(prog, insn_ptr, &function_range)?; },
ebpf::JSLE_IMM => { check_jmp_offset(prog, insn_ptr, &function_range)?; },
ebpf::JSLE_REG => { check_jmp_offset(prog, insn_ptr, &function_range)?; },
ebpf::CALL_IMM if sbpf_version.static_syscalls() && insn.src != 0 => { check_jmp_offset(prog, insn_ptr, &program_range)?; },
ebpf::CALL_IMM if sbpf_version.static_syscalls() && insn.src != 0 => { check_call_target(insn.imm as u32, function_registry)?; },
ebpf::CALL_IMM => {},
ebpf::CALL_REG => { check_callx_register(&insn, insn_ptr, config, sbpf_version)?; },
ebpf::EXIT => {},
Expand Down

0 comments on commit 1988242

Please sign in to comment.