Alan Jowett issues

Results 73 issues of


                                            Alan Jowett

UndefinedBehaviorSanitizer: radix_substr shift exponent 64 is too large for 64-bit type

/home/runner/work/ebpf-verifier/ebpf-verifier/src/crab/array_domain.cpp:68:10: runtime error: shift exponent 64 is too large for 64-bit type 'uint64_t' (aka 'unsigned long') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/runner/work/ebpf-verifier/ebpf-verifier/src/crab/array_domain.cpp:68:10 https://github.com/vbpf/ebpf-verifier/blob/6d092f4a9b02967ecd1b3c0da5d826c75385bc2e/src/crab/array_domain.cpp#L68

Reject BPF program if uninitialized stack or registers are accessed during interpret path

This pull request includes changes to improve the `ubpf` library. The most important changes include adding a new libfuzzer based fuzzer, modifying the `LLVMFuzzerTestOneInput` function to compare the results of...

Truncate all ALU32 except for bit-endianess

All ALU32 operations are supposed to truncate the target register. Adding code to ensure that this is always done.

Run ubpf_test over every file in corpus

Execute the ubpf_test binary over each file in the fuzzing corpus, first using the interpreter then using JIT.

blocked

Jump target for PC 0 is wrong

Setting of the offset -> PC target should occur after adjusting the stack, not before: https://github.com/iovisor/ubpf/blob/2bcb0150a414d6c50fe555df9069c2da8384eaed/vm/ubpf_jit_x86_64.c#L304 Failure to do this causes each loop iteration to adjust the stack on each...

Recursive local call causes uBPF JIT to crash

The following instruction sequence causes uBPF to crash in JIT mode ``` call local 0x0 jgt %r0, %r0, +0 exit exit exit ``` [program_local_call.zip](https://github.com/iovisor/ubpf/files/15255811/program_local_call.zip)

32bit ALU operations fail to truncate target register

As per the BPF ISA spec: https://www.ietf.org/archive/id/draft-ietf-bpf-isa-00.html#section-3.1-3 ![image](https://github.com/iovisor/ubpf/assets/20480683/f65edf0e-4870-4e00-a205-e10e0c6c2807) But the implementation of 32bit ALU operations doesn't truncate. https://github.com/iovisor/ubpf/blob/e8de891f30db1799985eab9bae1eccb2849dd505/vm/ubpf_jit_x86_64.c#L317C1-L320C19

x64 JIT emit wrong jump target when target is at start of byte code

Test case: ``` -- mem 00 00 00 01 00 00 00 02 -- asm sub %r2, 1 jne %r2, 0, -2 mov %r0, 0 exit -- result 0x0 ```...

assert(!thread_local_options.assume_assertions || is_bottom()) hit when fuzzing with assume_assertions on

https://github.com/vbpf/ebpf-verifier/blob/01d26e5c359e380fe7f3f0561ac9e877bc1f9ba3/src/crab/ebpf_domain.cpp#L1437 [timeout-dfb7ccfe8977abf66ca5c27e6629a0c50d99601c.zip](https://github.com/vbpf/ebpf-verifier/files/15408364/timeout-dfb7ccfe8977abf66ca5c27e6629a0c50d99601c.zip) ``` 0000000000000000 : 0: b7 00 00 00 01 00 00 00 r0 = 1 1: 61 12 04 00 00 00 00 00 r2 = *(u32 *)(r1...