[PATCH] filter_seccomp: fix jump offset overflow in binary match generator

Paul Chaignon paul.chaignon at gmail.com
Sat Nov 9 08:14:32 UTC 2019

binary_match_filter_generator() is missing a check for jump offset
overflows which might result in incorrect behavior if the binary match
strategy is selected and overflows.

I have only been able to reproduce the bug on mips after forcing strace to
use the binary match generator.  Due to the large number of syscalls on
mips, the binary match algorithm is suboptimal and the linear one is
selected.  This bug could however be triggered inadvertently if tracing a
very large set of syscalls not grouped together; in that case, the linear
strategy might have a jump offset overflow itself and strace would
fallback to the binary match one.

* filter_seccomp (binary_match_filter_generator): Check for jump offset

Signed-off-by: Paul Chaignon <paul.chaignon at gmail.com>
 filter_seccomp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/filter_seccomp.c b/filter_seccomp.c
index 04ee01cc..73d3644e 100644
--- a/filter_seccomp.c
+++ b/filter_seccomp.c
@@ -568,6 +568,11 @@ binary_match_filter_generator(struct sock_filter *filter, bool *overflow)
 		SET_BPF_STMT(&filter[pos++], BPF_RET | BPF_K,
+		if (pos - start > UCHAR_MAX) {
+			*overflow = true;
+			return pos;
+		}
 		for (unsigned int i = start; i < end; ++i) {
 			if (BPF_CLASS(filter[i].code) != BPF_JMP)

More information about the Strace-devel mailing list