diff options
| author | Eric Dumazet <edumazet@google.com> | 2019-07-23 03:15:37 -0700 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2019-07-23 14:12:37 -0700 |
| commit | 06a22d897d82f12776d44dbf0850f5895469cb2a (patch) | |
| tree | 011bf35f32c4141cf63e2c0b2643264e8ac12ae7 /lib/memory-notifier-error-inject.c | |
| parent | d9b8aadaffa65809d146cf0f8632a22a946367d7 (diff) | |
bpf: fix access to skb_shared_info->gso_segs
It is possible we reach bpf_convert_ctx_access() with
si->dst_reg == si->src_reg
Therefore, we need to load BPF_REG_AX before eventually
mangling si->src_reg.
syzbot generated this x86 code :
3: 55 push %rbp
4: 48 89 e5 mov %rsp,%rbp
7: 48 81 ec 00 00 00 00 sub $0x0,%rsp // Might be avoided ?
e: 53 push %rbx
f: 41 55 push %r13
11: 41 56 push %r14
13: 41 57 push %r15
15: 6a 00 pushq $0x0
17: 31 c0 xor %eax,%eax
19: 48 8b bf c0 00 00 00 mov 0xc0(%rdi),%rdi
20: 44 8b 97 bc 00 00 00 mov 0xbc(%rdi),%r10d
27: 4c 01 d7 add %r10,%rdi
2a: 48 0f b7 7f 06 movzwq 0x6(%rdi),%rdi // Crash
2f: 5b pop %rbx
30: 41 5f pop %r15
32: 41 5e pop %r14
34: 41 5d pop %r13
36: 5b pop %rbx
37: c9 leaveq
38: c3 retq
Fixes: d9ff286a0f59 ("bpf: allow BPF programs access skb_shared_info->gso_segs field")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'lib/memory-notifier-error-inject.c')
0 files changed, 0 insertions, 0 deletions