Skip to content

Commit

Permalink
Skip local calls and fix ub behavior on le ops
Browse files Browse the repository at this point in the history
Signed-off-by: Alan Jowett <[email protected]>
  • Loading branch information
Alan-Jowett committed May 14, 2024
1 parent ee8bc07 commit 57403e5
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 0 deletions.
17 changes: 17 additions & 0 deletions libfuzzer/libfuzz_harness.cc
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,23 @@ int LLVMFuzzerTestOneInput(const uint8_t* data, std::size_t size)
return -1;
}

if ((program_length % sizeof(ebpf_inst)) != 0) {
// The program length needs to be a multiple of sizeof(ebpf_inst_t).
// This is not interesting, as the fuzzer input is invalid.
// Do not add it to the corpus.
return -1;
}

for (std::size_t i = 0; i < program_length / sizeof(ebpf_inst); i++) {
ebpf_inst inst = reinterpret_cast<const ebpf_inst*>(program_start)[i];
if (inst.opcode == EBPF_OP_CALL && inst.src == 1) {
// Until local calls are fixed, reject local calls.
// This is not interesting, as the fuzzer input is invalid.
// Do not add it to the corpus.
return -1;
}
}

// Copy any input memory into a writable buffer.
if (memory_length > 0) {
memory.resize(memory_length);
Expand Down
4 changes: 4 additions & 0 deletions ubpf/disassembler.py
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,8 @@ def disassemble_one(data, offset):
if opcode_name == "exit":
return opcode_name
elif opcode_name == "call":
if src_reg == 1:
opcode_name += " local"
return "%s %s" % (opcode_name, I(imm))
elif opcode_name == "ja":
return "%s %s" % (opcode_name, O(off))
Expand All @@ -143,6 +145,8 @@ def disassemble_one(data, offset):
if opcode_name == "exit":
return opcode_name
elif opcode_name == "call":
if src_reg == 1:
opcode_name += " local"
return "%s %s" % (opcode_name, I(imm))
elif opcode_name == "ja":
return "%s %s" % (opcode_name, O(off))
Expand Down
1 change: 1 addition & 0 deletions vm/ubpf_vm.c
Original file line number Diff line number Diff line change
Expand Up @@ -491,6 +491,7 @@ ubpf_validate_shadow_register(const struct ubpf_vm* vm, uint16_t* shadow_registe
case 0x90: // EBPF_OP_MOD
case 0xa0: // EBPF_OP_XOR
case 0xc0: // EBPF_OP_ARSH
case 0xd0: // EBPF_OP_LE
dst_register_required = true;
break;
case 0xb0: // EBPF_OP_MOV
Expand Down

0 comments on commit 57403e5

Please sign in to comment.