bpf: Fix extable fixup offset.

Alexei Starovoitov · borkmann · commit 433956e91200 · 2021-12-16T21:18:26.000+01:00
The prog - start_of_ldx is the offset before the faulting ldx to the location after it, so this will be used to adjust pt_regs->ip for jumping over it and continuing, and with old temp it would have been fixed up to the wrong offset, causing crash. Fixes: 4c5de12 ("bpf: Emit explicit NULL pointer checks for PROBE_LDX instructions.") Signed-off-by: Alexei Starovoitov <ast@kernel.org> Reviewed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
@@ -1305,7 +1305,7 @@ st:			if (is_imm8(insn->off))
 				 * End result: x86 insn "mov rbx, qword ptr [rax+0x14]"
 				 * of 4 bytes will be ignored and rbx will be zero inited.
 				 */
-				ex->fixup = (prog - temp) | (reg2pt_regs[dst_reg] << 8);
+				ex->fixup = (prog - start_of_ldx) | (reg2pt_regs[dst_reg] << 8);
 			}
 			break;
 

Original file line number	Diff line number	Diff line change
`@@ -1305,7 +1305,7 @@ st: if (is_imm8(insn->off))`
`1305`	`1305`	`* End result: x86 insn "mov rbx, qword ptr [rax+0x14]"`
`1306`	`1306`	`* of 4 bytes will be ignored and rbx will be zero inited.`
`1307`	`1307`	`*/`
`1308`		`- ex->fixup = (prog - temp) \| (reg2pt_regs[dst_reg] << 8);`
	`1308`	`+ ex->fixup = (prog - start_of_ldx) \| (reg2pt_regs[dst_reg] << 8);`
`1309`	`1309`	`}`
`1310`	`1310`	`break;`
`1311`	`1311`