From a7280f117abae898925b8883341138ff1178cd9d Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Thu, 12 Nov 2020 22:35:13 +0000
Subject: [PATCH] fix bpf lddw check (#13554) (#13558)

(cherry picked from commit 30ef53cb13e7fe94571a0c3e45e058c551d8ad6f)

Co-authored-by: Jack May <jack@solana.com>
---
 programs/bpf_loader/src/bpf_verifier.rs | 2 +-
 programs/bpf_loader/src/lib.rs          | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/programs/bpf_loader/src/bpf_verifier.rs b/programs/bpf_loader/src/bpf_verifier.rs
index 816bdafe47..82c6d7613f 100644
--- a/programs/bpf_loader/src/bpf_verifier.rs
+++ b/programs/bpf_loader/src/bpf_verifier.rs
@@ -83,7 +83,7 @@ fn check_imm_endian(insn: &ebpf::Insn, insn_ptr: usize) -> Result<(), BPFError>
 }
 
 fn check_load_dw(prog: &[u8], insn_ptr: usize) -> Result<(), BPFError> {
-    if insn_ptr >= (prog.len() / ebpf::INSN_SIZE) {
+    if insn_ptr + 1 >= (prog.len() / ebpf::INSN_SIZE) {
         // Last instruction cannot be LD_DW because there would be no 2nd DW
         return Err(VerifierError::LDDWCannotBeLast.into());
     }
diff --git a/programs/bpf_loader/src/lib.rs b/programs/bpf_loader/src/lib.rs
index 877d97a14d..2030e8484a 100644
--- a/programs/bpf_loader/src/lib.rs
+++ b/programs/bpf_loader/src/lib.rs
@@ -350,6 +350,15 @@ mod tests {
             .unwrap();
     }
 
+    #[test]
+    #[should_panic(expected = "VerifierError(LDDWCannotBeLast)")]
+    fn test_bpf_loader_check_load_dw() {
+        let prog = &[
+            0x18, 0x00, 0x00, 0x00, 0x88, 0x77, 0x66, 0x55, // first half of lddw
+        ];
+        bpf_verifier::check(prog, true).unwrap();
+    }
+
     #[test]
     fn test_bpf_loader_write() {
         let program_id = solana_sdk::pubkey::new_rand();