search

vbpf / ebpf-verifier

eBPF verifier based on abstract interpretation
MIT License
387 stars 42 forks source link

Verifier fails to reject multiplication and some other ALU ops by a non-number #739

Open Alan-Jowett opened 1 week ago

Alan-Jowett commented 1 week ago

Missing the multiplication case here: https://github.com/vbpf/ebpf-verifier/blob/80ada1c8b96263a924990a95576633223d355fbe/src/assertions.cpp#L211

Repro sequence as generated by fuzzer:

mov32 %r0, 0x830800
mul %r0, %r3
jne %r1, %r0, +0
exit
Alan-Jowett commented 1 week ago

OR, AND, LSH, RSH, XOR, ARSH all appear to have the same issue.