[PATCH v4] bpf: core: fix shift-out-of-bounds in ___bpf_prog_run

Alexei Starovoitov alexei.starovoitov at gmail.com
Thu Jun 10 17:52:37 UTC 2021

On Thu, Jun 10, 2021 at 10:06 AM Kees Cook <keescook at chromium.org> wrote:
> > > I guess the main question: what should happen if a bpf program writer
> > > does _not_ use compiler nor check_shl_overflow()?
> I think the BPF runtime needs to make such actions defined, instead of
> doing a blind shift. It needs to check the size of the shift explicitly
> when handling the shift instruction.

Such ideas were brought up in the past and rejected.
We're not going to sacrifice performance to make behavior a bit more
'defined'. CPUs are doing it deterministically. It's the C standard
that needs fixing.

> Sure, but the point of UBSAN is to find and alert about undefined
> behavior, so we still need to fix this.

No. The undefined behavior of C standard doesn't need "fixing" most of the time.

More information about the Linux-kernel-mentees mailing list