diff options
| author | leecam <leecam@chromium.org> | 2014-10-03 09:19:18 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2014-10-03 16:19:58 +0000 |
| commit | 90b32ca95485409ba5646c96a4ec0aa4b6216aee (patch) | |
| tree | 4dbccf37c2a2e6c91bb1f808249971dbdf00f0e7 /sandbox/linux/seccomp-bpf | |
| parent | ebfe54f3477971bd2574d3247aa0d300fb358f12 (diff) | |
| download | chromium_src-90b32ca95485409ba5646c96a4ec0aa4b6216aee.zip chromium_src-90b32ca95485409ba5646c96a4ec0aa4b6216aee.tar.gz chromium_src-90b32ca95485409ba5646c96a4ec0aa4b6216aee.tar.bz2 | |
sandbox: Fix uninitialized data in non-jumping bpf instructions
Non-jumping BPF instructions ignore the jt/jf fields and should
be set to zero. This CL corrects an issues where these fields
were left uninitialized, resulting in non-zero values.
BUG=406116
TEST=sandbox_linux_unittests Linux & Android
Review URL: https://codereview.chromium.org/607473002
Cr-Commit-Position: refs/heads/master@{#298039}
Diffstat (limited to 'sandbox/linux/seccomp-bpf')
| -rw-r--r-- | sandbox/linux/seccomp-bpf/instruction.h | 42 | ||||
| -rw-r--r-- | sandbox/linux/seccomp-bpf/verifier.cc | 3 |
2 files changed, 22 insertions, 23 deletions
diff --git a/sandbox/linux/seccomp-bpf/instruction.h b/sandbox/linux/seccomp-bpf/instruction.h index 8567c8f..70b7791 100644 --- a/sandbox/linux/seccomp-bpf/instruction.h +++ b/sandbox/linux/seccomp-bpf/instruction.h @@ -7,6 +7,8 @@ #include <stdint.h> +#include <cstddef> + namespace sandbox { // The fields in this structure have the same meaning as the corresponding @@ -27,33 +29,29 @@ struct Instruction { // Constructor for an non-jumping instruction or for an unconditional // "always" jump. Instruction(uint16_t c, uint32_t parm, Instruction* n) - : code(c), next(n), k(parm) {} + : code(c), jt(0), jf(0), jt_ptr(NULL), jf_ptr(NULL), next(n), k(parm) {} // Constructor for a conditional jump instruction. Instruction(uint16_t c, uint32_t parm, Instruction* jt, Instruction* jf) - : code(c), jt_ptr(jt), jf_ptr(jf), k(parm) {} + : code(c), jt(0), jf(0), jt_ptr(jt), jf_ptr(jf), next(NULL), k(parm) {} uint16_t code; - union { - // When code generation is complete, we will have computed relative - // branch targets that are in the range 0..255. - struct { - uint8_t jt, jf; - }; - - // While assembling the BPF program, we use pointers for branch targets. - // Once we have computed basic blocks, these pointers will be entered as - // keys in a TargetsToBlocks map and should no longer be dereferenced - // directly. - struct { - Instruction* jt_ptr, *jf_ptr; - }; - - // While assembling the BPF program, non-jumping instructions are linked - // by the "next_" pointer. This field is no longer needed when we have - // computed basic blocks. - Instruction* next; - }; + + // When code generation is complete, we will have computed relative + // branch targets that are in the range 0..255. + uint8_t jt, jf; + + // While assembling the BPF program, we use pointers for branch targets. + // Once we have computed basic blocks, these pointers will be entered as + // keys in a TargetsToBlocks map and should no longer be dereferenced + // directly. + Instruction* jt_ptr, *jf_ptr; + + // While assembling the BPF program, non-jumping instructions are linked + // by the "next_" pointer. This field is no longer needed when we have + // computed basic blocks. + Instruction* next; + uint32_t k; }; diff --git a/sandbox/linux/seccomp-bpf/verifier.cc b/sandbox/linux/seccomp-bpf/verifier.cc index bf4e974..e411bd9 100644 --- a/sandbox/linux/seccomp-bpf/verifier.cc +++ b/sandbox/linux/seccomp-bpf/verifier.cc @@ -169,7 +169,8 @@ bool VerifyErrorCode(SandboxBPF* sandbox, } void Ld(State* state, const struct sock_filter& insn, const char** err) { - if (BPF_SIZE(insn.code) != BPF_W || BPF_MODE(insn.code) != BPF_ABS) { + if (BPF_SIZE(insn.code) != BPF_W || BPF_MODE(insn.code) != BPF_ABS || + insn.jt != 0 || insn.jf != 0) { *err = "Invalid BPF_LD instruction"; return; } |