Browse Source

filter_seccomp: fix jump offset overflow in binary match generator

binary_match_filter_generator() is missing a check for jump offset
overflows which might result in incorrect behavior if the binary match
strategy is selected and overflows.

I have only been able to reproduce the bug on mips after forcing strace to
use the binary match generator.  Due to the large number of syscalls on
mips, the binary match algorithm is suboptimal and the linear one is
selected.  This bug could however be triggered inadvertently if tracing a
very large set of syscalls not grouped together; in that case, the linear
strategy might have a jump offset overflow itself and strace would
fallback to the binary match one.

* filter_seccomp (binary_match_filter_generator): Check for jump offset
overflows.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Paul Chaignon 1 month ago
parent
commit
271d235528
1 changed files with 5 additions and 0 deletions
  1. 5
    0
      filter_seccomp.c

+ 5
- 0
filter_seccomp.c View File

@@ -568,6 +568,11 @@ binary_match_filter_generator(struct sock_filter *filter, bool *overflow)
568 568
 		SET_BPF_STMT(&filter[pos++], BPF_RET | BPF_K,
569 569
 			     SECCOMP_RET_TRACE);
570 570
 
571
+		if (pos - start > UCHAR_MAX) {
572
+			*overflow = true;
573
+			return pos;
574
+		}
575
+
571 576
 		for (unsigned int i = start; i < end; ++i) {
572 577
 			if (BPF_CLASS(filter[i].code) != BPF_JMP)
573 578
 				continue;

Loading…
Cancel
Save