Attempt to divide by zero in DIV32 of interpreter

[pcy190]

Details

In the implementation of DIV32, it checks whether the 64-bit source value is zero. However, during the division computation, the source is casted to 32-bit, which could still be zero, e.g., 0xffff000000000000. According to the kernel ebpf standard, we should check the division by zero by checking the nullness of the 32-bit source value.

https://github.com/torvalds/linux/blob/610a9b8f49fbcf1100716370d3b5f6f884a2835a/Documentation/bpf/standardization/instruction-set.rst?plain=1#L246-L251

If BPF program execution would result in division by zero, the destination register is instead set to zero.

The current implementation of DIV32_IMM and DIV32_REG lacks the check to the lower 32 bits of source value.

rbpf/src/interpreter.rs

Lines 217 to 220 in 4812c52

	ebpf::DIV32_IMM if insn.imm == 0 => reg[_dst] = 0,
	ebpf::DIV32_IMM => reg[_dst] = (reg[_dst] as u32 / insn.imm as u32) as u64,
	ebpf::DIV32_REG if reg[_src] == 0 => reg[_dst] = 0,
	ebpf::DIV32_REG => reg[_dst] = (reg[_dst] as u32 / reg[_src] as u32) as u64,

The following PoC program would cause the attempt to calculate the remainder with a divisor of zero panic in the interpreter:

lddw r1, 0x100000000
div32 r0, r1
exit

Result:

attempt to divide by zero
thread '' panicked at 'attempt to divide by zero', src/interpreter.rs:222:45
stack backtrace:
...
   3: rbpf::interpreter::execute_program
             at ./src/interpreter.rs:222:45
   4: rbpf::EbpfVmMbuff::execute_program
             at ./src/lib.rs:300:9
   5: rbpf::EbpfVmRaw::execute_program
             at ./src/lib.rs:1221:9

The expected result is that the program executed with r0 set to zero, without panic/error.

Suggestion

Check nullness of 32-bit casted source value before division