ebpf-verifier ebpf_domain_t::do_load_stack doesn't check for access to stack outside range

ebpf_domain_t::do_load_stack doesn't check for access to stack outside range

Open Alan-Jowett opened this issue 2 years ago • 0 comments

array_domain_t only tracks bits in a predefined range, but ebpf_domain_t::do_load_stack attempts to track invalid stack access.

 	verifier_fuzzer.exe!std::bitset<512>::_Validate(unsigned __int64 _Pos) Line 72	C++
 	verifier_fuzzer.exe!std::bitset<512>::operator[](unsigned __int64 _Pos) Line 85	C++
>	verifier_fuzzer.exe!bitset_domain_t::uniformity(unsigned __int64 lb, int width) Line 66	C++
 	verifier_fuzzer.exe!crab::domains::array_domain_t::load(crab::domains::SplitDBM & inv, crab::data_kind_t kind, const linear_expression_t & i, int width) Line 501	C++
 	verifier_fuzzer.exe!ebpf_domain_t::do_load_stack(crab::domains::SplitDBM & inv, const asm_syntax::Reg & target_reg, const linear_expression_t & addr, int width, const asm_syntax::Reg & src_reg) Line 1012	C++
 	verifier_fuzzer.exe!ebpf_domain_t::do_load(const asm_syntax::Mem & b, const asm_syntax::Reg & target_reg) Line 1113	C++
 	verifier_fuzzer.exe!ebpf_domain_t::operator()(const asm_syntax::Mem & b) Line 1234	C++

_lb == -1040

crash-42e00cd42229150e43ed1aa313a7678a306b09bf.o.zip

I think the right fix is to have array_domain_t reject load/store outside of the valid range?

Jun 11 '22 16:06 Alan-Jowett

ebpf-verifier ebpf-verifier copied to clipboard

ebpf_domain_t::do_load_stack doesn't check for access to stack outside range

ebpf-verifier
ebpf-verifier copied to clipboard