Per RFC 9669 (BPF ISA), the LDDW instruction is 16 bytes (two 8-byte instructions). The second half must have dst == 0 (and also src == 0, off == 0).
ubpf_vm.c’s validator currently checks the second-half opcode, but does not enforce dst/src/off == 0, so invalid programs can load and run.
Spec reference
Reproduction
Load the following raw program:
# LDDW with imm=0 (first half)
0x0000000000000018
# Second half with dst != 0 (invalid per spec)
0x0000000000000100
# EXIT
0x0000000000000095
Expected behavior
Load should fail with an error like:
Failed to load code: invalid lddw second half at PC 1
Actual behavior
Program loads and executes successfully (returns 0x0).
Root cause
Validation only checks the second-half opcode, but does not enforce dst/src/off == 0 for the second half of LDDW.
Proposed fix
In ubpf_vm.c’s validator, when validating an LDDW at PC i, validate PC i+1 (second half) as:
- opcode == 0x00
- dst == 0
- src == 0
- off == 0
- (imm remains the upper 32 bits of the constant)
and return an error like invalid lddw second half at PC i+1.
Per RFC 9669 (BPF ISA), the LDDW instruction is 16 bytes (two 8-byte instructions). The second half must have dst == 0 (and also src == 0, off == 0).
ubpf_vm.c’s validator currently checks the second-half opcode, but does not enforce dst/src/off == 0, so invalid programs can load and run.
Spec reference
Reproduction
Load the following raw program:
# LDDW with imm=0 (first half)
0x0000000000000018
# Second half with dst != 0 (invalid per spec)
0x0000000000000100
# EXIT
0x0000000000000095
Expected behavior
Load should fail with an error like:
Failed to load code: invalid lddw second half at PC 1
Actual behavior
Program loads and executes successfully (returns 0x0).
Root cause
Validation only checks the second-half opcode, but does not enforce dst/src/off == 0 for the second half of LDDW.
Proposed fix
In ubpf_vm.c’s validator, when validating an LDDW at PC i, validate PC i+1 (second half) as:
and return an error like invalid lddw second half at PC i+1.