Thread (6 messages) 6 messages, 3 authors, 2021-05-17

Re: [PATCH] bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc

From: Bui Quang Minh <hidden>
Date: 2021-01-27 05:10:20
Also in: bpf, lkml

On Tue, Jan 26, 2021 at 09:36:57AM +0000, Lorenz Bauer wrote:
On Tue, 26 Jan 2021 at 08:26, Bui Quang Minh [off-list ref] wrote:
quoted
In 32-bit architecture, the result of sizeof() is a 32-bit integer so
the expression becomes the multiplication between 2 32-bit integer which
can potentially leads to integer overflow. As a result,
bpf_map_area_alloc() allocates less memory than needed.

Fix this by casting 1 operand to u64.
Some quick thoughts:
* Should this have a Fixes tag?
Ok, I will add Fixes tag in later version patch.
* Seems like there are quite a few similar calls scattered around
(cpumap, etc.). Did you audit these as well?
I spotted another bug after re-auditting. In hashtab, there ares 2 places using
the same calls

	static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
	{
		/* ... snip ... */
		if (htab->n_buckets == 0 ||
		    htab->n_buckets > U32_MAX / sizeof(struct bucket))
			goto free_htab;

		htab->buckets = bpf_map_area_alloc(htab->n_buckets *
						   sizeof(struct bucket),
						   htab->map.numa_node);
	}

This is safe because of the above check.

	static int prealloc_init(struct bpf_htab *htab)
	{
		u32 num_entries = htab->map.max_entries;
		htab->elems = bpf_map_area_alloc(htab->elem_size * num_entries,
						 htab->map.numa_node);
	}

This is not safe since there is no limit check in elem_size.

In cpumap,

	static struct bpf_map *cpu_map_alloc(union bpf_attr *attr)
	{
		cmap->cpu_map = bpf_map_area_alloc(cmap->map.max_entries *
						   sizeof(struct bpf_cpu_map_entry *),
						   cmap->map.numa_node);
	}

I think this is safe because max_entries is not permitted to be larger than NR_CPUS.

In stackmap, there is a place that I'm not very sure about

	static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
	{
		u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
		smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries,
						 smap->map.numa_node);
	}

This is called after another bpf_map_area_alloc in stack_map_alloc(). In the first
bpf_map_area_alloc() the argument is calculated in an u64 variable; so if in the second
one, there is an integer overflow then the first one must be called with size > 4GB. I 
think the first one will probably fail (I am not sure about the actual limit of vmalloc()),
so the second one might not be called.

Overall, I think it is error prone in this pattern, maybe we should use typecasting in all
similar calls or make a comment why we don't use typecasting. As I see typecasting is not so
expensive and we can typecast the sizeof() operand so this change only affect 32-bit
architecture.
* I'd prefer a calloc style version of bpf_map_area_alloc although
that might conflict with Fixes tag.
Yes, I think the calloc style will prevent this kind of integer overflow bug.

Thank you,
Quang Minh.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help