[PATCH] bpf, x32: Fix bug for BPF_ALU64 | BPF_NEG

[PATCH] bpf, x32: Fix bug for BPF_ALU64 | BPF_NEG

[Wang YanQing]

commit b9aa0b35d878dff9ed19f94101fe353a4de00cc4 upstream.

The fix only affects x32 bpf jit, and it is critical to use x32 bpf jit on a
unpatched system, so I think we should backport it to the only affected stable
kernel version: v4.19

Thanks.

Cc: <stable@vger.kernel.org> #4.19

Signed-off-by: Wang YanQing <udknight@gmail.com>

Re: [PATCH] bpf, x32: Fix bug for BPF_ALU64 | BPF_NEG

[Daniel Borkmann]

On 04/28/2019 04:33 AM, Wang YanQing wrote:
> The current implementation has two errors:
> 1: The second xor instruction will clear carry flag which
>    is necessary for following sbb instruction.
> 2: The select coding for sbb instruction is wrong, the coding
>    is "sbb dreg_hi,ecx", but what we need is "sbb ecx,dreg_hi".
> 
> This patch rewrites the implementation and fixes the errors.
> 
> This patch fixes below errors reported by bpf/test_verifier in x32
> platform when the jit is enabled:
> "
> 0: (b4) w1 = 4
> 1: (b4) w2 = 4
> 2: (1f) r2 -= r1
> 3: (4f) r2 |= r1
> 4: (87) r2 = -r2
> 5: (c7) r2 s>>= 63
> 6: (5f) r1 &= r2
> 7: (bf) r0 = r1
> 8: (95) exit
> processed 9 insns (limit 131072), stack depth 0
> 0: (b4) w1 = 4
> 1: (b4) w2 = 4
> 2: (1f) r2 -= r1
> 3: (4f) r2 |= r1
> 4: (87) r2 = -r2
> 5: (c7) r2 s>>= 63
> 6: (5f) r1 &= r2
> 7: (bf) r0 = r1
> 8: (95) exit
> processed 9 insns (limit 131072), stack depth 0
> ......
> Summary: 1189 PASSED, 125 SKIPPED, 15 FAILED
> "
> 
> Signed-off-by: Wang YanQing <udknight@gmail.com>

Applied, thanks!

[PATCH] bpf, x32: Fix bug for BPF_ALU64 | BPF_NEG

[Wang YanQing]

The current implementation has two errors:
1: The second xor instruction will clear carry flag which
   is necessary for following sbb instruction.
2: The select coding for sbb instruction is wrong, the coding
   is "sbb dreg_hi,ecx", but what we need is "sbb ecx,dreg_hi".

This patch rewrites the implementation and fixes the errors.

This patch fixes below errors reported by bpf/test_verifier in x32
platform when the jit is enabled:
"
0: (b4) w1 = 4
1: (b4) w2 = 4
2: (1f) r2 -= r1
3: (4f) r2 |= r1
4: (87) r2 = -r2
5: (c7) r2 s>>= 63
6: (5f) r1 &= r2
7: (bf) r0 = r1
8: (95) exit
processed 9 insns (limit 131072), stack depth 0
0: (b4) w1 = 4
1: (b4) w2 = 4
2: (1f) r2 -= r1
3: (4f) r2 |= r1
4: (87) r2 = -r2
5: (c7) r2 s>>= 63
6: (5f) r1 &= r2
7: (bf) r0 = r1
8: (95) exit
processed 9 insns (limit 131072), stack depth 0
......
Summary: 1189 PASSED, 125 SKIPPED, 15 FAILED
"

Signed-off-by: Wang YanQing <udknight@gmail.com>
---
 arch/x86/net/bpf_jit_comp32.c | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/arch/x86/net/bpf_jit_comp32.c b/arch/x86/net/bpf_jit_comp32.c
index 8097b88..b29e82f 100644
--- a/arch/x86/net/bpf_jit_comp32.c
+++ b/arch/x86/net/bpf_jit_comp32.c
@@ -700,19 +700,12 @@ static inline void emit_ia32_neg64(const u8 dst[], bool dstk, u8 **pprog)
 		      STACK_VAR(dst_hi));
 	}
 
-	/* xor ecx,ecx */
-	EMIT2(0x31, add_2reg(0xC0, IA32_ECX, IA32_ECX));
-	/* sub dreg_lo,ecx */
-	EMIT2(0x2B, add_2reg(0xC0, dreg_lo, IA32_ECX));
-	/* mov dreg_lo,ecx */
-	EMIT2(0x89, add_2reg(0xC0, dreg_lo, IA32_ECX));
-
-	/* xor ecx,ecx */
-	EMIT2(0x31, add_2reg(0xC0, IA32_ECX, IA32_ECX));
-	/* sbb dreg_hi,ecx */
-	EMIT2(0x19, add_2reg(0xC0, dreg_hi, IA32_ECX));
-	/* mov dreg_hi,ecx */
-	EMIT2(0x89, add_2reg(0xC0, dreg_hi, IA32_ECX));
+	/* neg dreg_lo */
+	EMIT2(0xF7, add_1reg(0xD8, dreg_lo));
+	/* adc dreg_hi,0x0 */
+	EMIT3(0x83, add_1reg(0xD0, dreg_hi), 0x00);
+	/* neg dreg_hi */
+	EMIT2(0xF7, add_1reg(0xD8, dreg_hi));
 
 	if (dstk) {
 		/* mov dword ptr [ebp+off],dreg_lo */
-- 
1.8.5.6.2.g3d8a54e.dirty