Re: [PATCH v4] bpf: core: fix shift-out-of-bounds in ___bpf_prog_run

From: Alexei Starovoitov
Date: Thu Jun 10 2021 - 13:54:08 EST


On Thu, Jun 10, 2021 at 10:06 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> > > I guess the main question: what should happen if a bpf program writer
> > > does _not_ use compiler nor check_shl_overflow()?
>
> I think the BPF runtime needs to make such actions defined, instead of
> doing a blind shift. It needs to check the size of the shift explicitly
> when handling the shift instruction.

Such ideas were brought up in the past and rejected.
We're not going to sacrifice performance to make behavior a bit more
'defined'. CPUs are doing it deterministically. It's the C standard
that needs fixing.

> Sure, but the point of UBSAN is to find and alert about undefined
> behavior, so we still need to fix this.

No. The undefined behavior of C standard doesn't need "fixing" most of the time.