I encountered several Integer Overflow issues in the interpreter during testing.
Description
The rbpf interpreter suffers from multiple integer overflows during instruction execution.
These can lead to runtime panics (DoS) or, in the case of the CALL instruction, a potential control flow hijacking if the overflow wraps around in release mode.
Affected Instructions & Locations:
CALL (Opcode 0x85) - src/interpreter.rs:430
insn_ptr += insn.imm as usize; -> attempt to add with overflow
ALU Operations (e.g., ADD32_IMM) - src/interpreter.rs:171 & 176
- Overflows during standard arithmetic operations on registers.
Error Message (Example from CALL overflow)
thread 'main' panicked at /mnt/e/A_IT/rust_library/rbpf-main/src/interpreter.rs:430:25:
attempt to add with overflow
Reproduction Code
I have prepared a dedicated reproduction binary (repro_interpreter.rs) to demonstrate these issues.
Cargo.toml dependencies:
[dependencies]
rbpf = "0.2" # or current version
repro_interpreter.rs:
use std::env;
use std::fs::File;
use std::io::Read;
use rbpf::EbpfVmMbuff;
fn main() {
let args: Vec<String> = env::args().collect();
if args.len() < 2 {
eprintln!("Usage: cargo run --bin repro_interpreter <poc_file>");
return;
}
let filename = &args[1];
let mut file = File::open(filename).expect("Failed to open file");
let mut prog = Vec::new();
file.read_to_end(&mut prog).expect("Failed to read file");
println!("Reproducing Interpreter Crash with: {}", filename);
// 1. Create VM
let vm = match EbpfVmMbuff::new(Some(&prog)) {
Ok(v) => v,
Err(e) => {
println!("Verifier failed: {}", e);
return;
}
};
println!("Verifier passed. Executing program...");
// 2. Prepare dummy memory and mbuff
let mut mem = [0u8; 1024];
let mut mbuff = [0u8; 1024];
// 3. Execute (This triggers the Integer Overflow panic)
match vm.execute_program(&mut mem, &mut mbuff) {
Ok(res) => println!("Execution finished. Result: {}", res),
Err(e) => println!("Execution error: {}", e),
}
}POC
poc.zip
(Please see attached binaries)
[poc_call_overflow.bin] (Triggers overflow at interpreter.rs:430)
[poc_alu_overflow_1.bin] (Triggers overflow at interpreter.rs:171)
[poc_alu_overflow_2.bin] (Triggers overflow at interpreter.rs:176)
Stack Trace (Example: CALL Overflow)
thread 'main' (18968) panicked at /mnt/e/A_IT/rust_library/rbpf-main/src/interpreter.rs:430:25:
attempt to add with overflow
stack backtrace:
0: __rustc::rust_begin_unwind
at /rustc/b68e16cfc0e9f8b29c9ec41bfa6ab0a637eff19c/library/std/src/panicking.rs:689:5
1: core::panicking::panic_fmt
at /rustc/b68e16cfc0e9f8b29c9ec41bfa6ab0a637eff19c/library/core/src/panicking.rs:80:14
2: core::panicking::panic_const::panic_const_add_overflow
at /rustc/b68e16cfc0e9f8b29c9ec41bfa6ab0a637eff19c/library/core/src/panicking.rs:175:17
3: rbpf::interpreter::execute_program
at /mnt/e/A_IT/rust_library/rbpf-main/src/interpreter.rs:430:25
4: <rbpf::EbpfVmMbuff>::execute_program
at /mnt/e/A_IT/rust_library/rbpf-main/src/lib.rs:473:9
5: repro_interpreter::main
at ./issue/interpreter/repro_interpreter.rs:38:14
I encountered several Integer Overflow issues in the
interpreterduring testing.Description
The
rbpfinterpreter suffers from multiple integer overflows during instruction execution.These can lead to runtime panics (DoS) or, in the case of the
CALLinstruction, a potential control flow hijacking if the overflow wraps around in release mode.Affected Instructions & Locations:
CALL(Opcode 0x85) -src/interpreter.rs:430insn_ptr += insn.imm as usize;->attempt to add with overflowALUOperations (e.g., ADD32_IMM) -src/interpreter.rs:171&176Error Message (Example from
CALLoverflow)Reproduction Code
I have prepared a dedicated reproduction binary (
repro_interpreter.rs) to demonstrate these issues.Cargo.tomldependencies:repro_interpreter.rs:POC
poc.zip
(Please see attached binaries)
[poc_call_overflow.bin] (Triggers overflow at
interpreter.rs:430)[poc_alu_overflow_1.bin] (Triggers overflow at
interpreter.rs:171)[poc_alu_overflow_2.bin] (Triggers overflow at
interpreter.rs:176)Stack Trace (Example: CALL Overflow)