Integer Overflows (panics) in `rbpf` interpreter leading to DoS or Control Flow Hijacking

[Echo8377]

I encountered several Integer Overflow issues in the interpreter during testing.

Description

The rbpf interpreter suffers from multiple integer overflows during instruction execution.
These can lead to runtime panics (DoS) or, in the case of the CALL instruction, a potential control flow hijacking if the overflow wraps around in release mode.

Affected Instructions & Locations:

1. CALL (Opcode 0x85) - src/interpreter.rs:430
   • insn_ptr += insn.imm as usize; -> attempt to add with overflow
2. ALU Operations (e.g., ADD32_IMM) - src/interpreter.rs:171 & 176
   • Overflows during standard arithmetic operations on registers.

Error Message (Example from CALL overflow)

thread 'main' panicked at /mnt/e/A_IT/rust_library/rbpf-main/src/interpreter.rs:430:25:
attempt to add with overflow

Reproduction Code

I have prepared a dedicated reproduction binary (repro_interpreter.rs) to demonstrate these issues.

Cargo.toml dependencies:

[dependencies]
rbpf = "0.2" # or current version

repro_interpreter.rs:

use std::env;
use std::fs::File;
use std::io::Read;
use rbpf::EbpfVmMbuff;

fn main() {
    let args: Vec<String> = env::args().collect();
    if args.len() < 2 {
        eprintln!("Usage: cargo run --bin repro_interpreter <poc_file>");
        return;
    }
    
    let filename = &args[1];
    let mut file = File::open(filename).expect("Failed to open file");
    let mut prog = Vec::new();
    file.read_to_end(&mut prog).expect("Failed to read file");

    println!("Reproducing Interpreter Crash with: {}", filename);

    // 1. Create VM
    let vm = match EbpfVmMbuff::new(Some(&prog)) {
        Ok(v) => v,
        Err(e) => {
            println!("Verifier failed: {}", e);
            return;
        }
    };

    println!("Verifier passed. Executing program...");

    // 2. Prepare dummy memory and mbuff
    let mut mem = [0u8; 1024];
    let mut mbuff = [0u8; 1024];

    // 3. Execute (This triggers the Integer Overflow panic)
    match vm.execute_program(&mut mem, &mut mbuff) {
        Ok(res) => println!("Execution finished. Result: {}", res),
        Err(e) => println!("Execution error: {}", e),
    }
}

POC

poc.zip

(Please see attached binaries)
[poc_call_overflow.bin] (Triggers overflow at interpreter.rs:430)
[poc_alu_overflow_1.bin] (Triggers overflow at interpreter.rs:171)
[poc_alu_overflow_2.bin] (Triggers overflow at interpreter.rs:176)

Stack Trace (Example: CALL Overflow)

thread 'main' (18968) panicked at /mnt/e/A_IT/rust_library/rbpf-main/src/interpreter.rs:430:25:
attempt to add with overflow
stack backtrace:
   0: __rustc::rust_begin_unwind
             at /rustc/b68e16cfc0e9f8b29c9ec41bfa6ab0a637eff19c/library/std/src/panicking.rs:689:5
   1: core::panicking::panic_fmt
             at /rustc/b68e16cfc0e9f8b29c9ec41bfa6ab0a637eff19c/library/core/src/panicking.rs:80:14
   2: core::panicking::panic_const::panic_const_add_overflow
             at /rustc/b68e16cfc0e9f8b29c9ec41bfa6ab0a637eff19c/library/core/src/panicking.rs:175:17
   3: rbpf::interpreter::execute_program
             at /mnt/e/A_IT/rust_library/rbpf-main/src/interpreter.rs:430:25
   4: <rbpf::EbpfVmMbuff>::execute_program
             at /mnt/e/A_IT/rust_library/rbpf-main/src/lib.rs:473:9
   5: repro_interpreter::main
             at ./issue/interpreter/repro_interpreter.rs:38:14