HAPPY
HAPPY
The current ebpf-verifier doesn't appear to support `BPF_JMP32_REG`/`BPF_JMP32_IMM`instruction parsing. When we construct the `BPF_JMP32_REG` instruction, as is defined in `bpf-instruction.h` of Linux kernel: ``` #define BPF_JMP32_REG(OP, DST, SRC, OFF) \...
I've tried to run the example of pinCTF in Windows10 x64 ``` python37 pinCTF.py -f myexample.exe -i -l obj-intel64 -sl 28 -r abcdefghijklmnopqrstuvwxyz012345_-+LVMA -sk -t -tc 10 -ppin-3.13-98189-g60a6ef199-msvc-windows ``` It...
When I use `git submodule update --init --recursive` this process was faced with fatal error. ``` Submodule 'libc-database' (https://github.com/lieanu/libc-database.git) registered for path 'libc-database' Cloning into '/home/happy/Downloads/libc/libc/libc-database'... error: Server does not...
ebpf-verifier-check stuck while verifying the following program with the default option (i.e., the termination check is disabled by default): the hex dump of the instruction stream: ``` 0f57 0000 0000...
The JIT compiler does not emit check instructions for the target PC during code generation. Hence, any invalid jump target can be triggered without validation: https://github.com/iovisor/ubpf/blob/7d6da196ae98caf26fb953a0d709e8289dffd035/vm/ubpf_jit_x86_64.c#L102-L118 Execute the following PoC...
When we run PoC program in the JIT compiler, we get the return value as `224` after execution. While the correct return value should be `0`. The code generation implementation...
The current JIT compiler does not emit boundary checks for the load/store memory opcode. Hence, any program can perform an invalid memory operation. e.g., the following PoC program can trigger...
## Details The `bounds_check` function does not check whether the `address + size` overflows. When `address` is large enough, the result of `(char*)addr + size` would overflow and bypass the...
The current implementation of the interpreter does not check the termination of the eBPF program. While executing an unterminated eBPF program, the interpreter would make an invalid `pc` that exceeds...
In the upstream kernel eBPF specification, the offset of the arithmetic shift should be mask [0] In the interpreter of ubpf, the mask is missing for EBPF_OP_ARSH64 and EBPF_OP_ARSH https://github.com/iovisor/ubpf/blob/a6082a2124e25045161a4ea9aa1a5a7dbd995379/vm/ubpf_vm.c#L572-L577...