You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current implementation of the interpreter does not check the termination of the eBPF program. While executing an unterminated eBPF program, the interpreter would make an invalid pc that exceeds the program instruction length.
The following PoC program demonstrates the out-of-bound memory access when uBPF executes it.
The bytecode of the program is 2f4242424242452a, and the disassembled code is mul %r2, %r4.
Running it would trigger an invalid memory read:
==48160==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x5567e2f23000 (pc 0x5567e071111c bp 0x000000005567 sp 0x7ffca7fb67f0 T48160)
==48160==The signal is caused by a READ memory access.
#0 0x5567e071111c in ubpf_fetch_instruction /ubpf/vm/ubpf_vm.c
#1 0x5567e071111c in ubpf_exec /ubpf/vm/ubpf_vm.c:390:33
Patch suggestion:
In the while loop, we should check whether the PC is equal to or larger than the vm->num_insts:
The current implementation of the interpreter does not check the termination of the eBPF program. While executing an unterminated eBPF program, the interpreter would make an invalid
pc
that exceeds the program instruction length.ubpf/vm/ubpf_vm.c
Lines 388 to 390 in 7d6da19
The following PoC program demonstrates the out-of-bound memory access when uBPF executes it.
The bytecode of the program is
2f4242424242452a
, and the disassembled code ismul %r2, %r4
.Running it would trigger an invalid memory read:
Patch suggestion:
In the while loop, we should check whether the PC is equal to or larger than the
vm->num_insts
:The text was updated successfully, but these errors were encountered: