Skip to content

Instantly share code, notes, and snippets.

@DasSkelett

DasSkelett/Corresponding Code.c

Created January 25, 2026 11:25
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save DasSkelett/f373dac5692b95b0daae7ebb58fad8d1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save DasSkelett/f373dac5692b95b0daae7ebb58fad8d1 to your computer and use it in GitHub Desktop.
Download ZIP
Unbounded memory access when cross-compiling for ppc clang-18 vs clang-20
Raw
Corresponding Code.c
case ICMPV6_PARAMPROB:
if (icmp6.icmp6_code == 1) {
icmp.type = ICMPV6_DEST_UNREACH;
icmp.code = ICMP_PROT_UNREACH;
break;
} else if (icmp6.icmp6_code != 0) {
return TC_ACT_SHOT;
}
icmp.type = ICMP_PARAMETERPROB;
icmp.code = 0;
/* Pointer translation */
__u8 new_ptr[40] = {
0, 1, 255, 255, 2, 2, 9, 8, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12,
12, 12, 12, 12, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,
};
__u32 pointer = bpf_ntohl(icmp6.icmp6_pointer);
__u32 new_ptr_len = ARRAY_SIZE(new_ptr);
if (pointer >= new_ptr_len) {
DEBUG_PRINT("Invalid pointer in ICMPv6 parameter problem message");
return TC_ACT_SHOT;
}
__u8 mapped_ptr = new_ptr[pointer];
if (mapped_ptr == 255) {
DEBUG_PRINT("Invalid pointer in ICMPv6 parameter problem message");
return TC_ACT_SHOT;
}
icmp.un.reserved[0] = mapped_ptr;
break;
Raw
Error case
; icmp.type = ICMP_PARAMETERPROB;
333: (6b) *(u16 *)(r10 -16) = r2
; switch (icmp6.icmp6_type) {
334: (bf) r2 = r1
335: (67) r2 <<= 32
336: (77) r2 >>= 32
; if (pointer >= new_ptr_len) {
337: (25) if r2 > 0x27 goto pc-118
frame1: R0=inv2 R1=inv(id=16) R2_w=inv(id=0,umax_value=39,var_off=(0x0; 0x3f)) R3=inv4 R6=ctx(id=0,off=0,imm=0) R7=fp-24 R8=pkt(id=0,off=0,r=40,imm=0) R10=fp0 fp-8=mmmmmmmm fp-16=inv3072
338: (18) r2 = 0xfffffffe
; if (mapped_ptr == 255) {
340: (bf) r3 = r1
341: (5f) r3 &= r2
; if (mapped_ptr == 255) {
342: (15) if r3 == 0x2 goto pc-123
frame1: R0=inv2 R1=inv(id=16) R2_w=inv4294967294 R3_w=inv(id=0,umax_value=4294967294,var_off=(0x0; 0xfffffffe),s32_max_value=2147483646) R6=ctx(id=0,off=0,imm=0) R7=fp-24 R8=pkt(id=0,off=0,r=40,imm=0) R10=fp0 fp-8=mmmmmmmm fp-16=inv3072
; __u8 mapped_ptr = new_ptr[pointer];
343: (67) r1 <<= 32
344: (77) r1 >>= 32
345: (18) r2 = 0xc43e66e4
347: (0f) r2 += r1
348: (71) r1 = *(u8 *)(r2 +0)
frame1: R0=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=map_value(id=0,off=20,ks=4,vs=60,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R3_w=inv(id=0,umax_value=4294967294,var_off=(0x0; 0xfffffffe),s32_max_value=2147483646) R6=ctx(id=0,off=0,imm=0) R7=fp-24 R8=pkt(id=0,off=0,r=40,imm=0) R10=fp0 fp-8=mmmmmmmm fp-16=inv3072
R2 unbounded memory access, make sure to bounds check any such access
processed 465 insns (limit 1000000) max_states_per_insn 1 total_states 35 peak_states 35 mark_read 8
-- END PROG LOAD LOG --
Raw
Working case
; icmp.type = ICMP_PARAMETERPROB;
273: (6b) *(u16 *)(r10 -16) = r2
; __u32 pointer = bpf_ntohl(icmp6.icmp6_pointer);
274: (dc) r1 = be32 r1
; if (pointer >= new_ptr_len) {
275: (25) if r1 > 0x27 goto pc-77
276: (bf) r2 = r1
277: (57) r2 &= 62
278: (15) if r2 == 0x2 goto pc-80
; __u8 mapped_ptr = new_ptr[pointer];
279: (18) r2 = map[id:67][0]+20
281: (0f) r2 += r1
282: (71) r1 = *(u8 *)(r2 +0)
; icmp.un.reserved[0] = mapped_ptr;
283: (73) *(u8 *)(r10 -12) = r1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment