Thread (6 messages) 6 messages, 3 authors, 2021-05-17

Re: [PATCH] bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc

From: Bui Quang Minh <hidden>
Date: 2021-01-27 05:25:18
Also in: bpf, lkml 

On Wed, Jan 27, 2021 at 11:23:41AM +0700, Bui Quang Minh wrote:
quoted
* Seems like there are quite a few similar calls scattered around
(cpumap, etc.). Did you audit these as well?
I spotted another bug after re-auditting. In hashtab, there ares 2 places using
the same calls

	static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
	{
		/* ... snip ... */
		if (htab->n_buckets == 0 ||
		    htab->n_buckets > U32_MAX / sizeof(struct bucket))
			goto free_htab;

		htab->buckets = bpf_map_area_alloc(htab->n_buckets *
						   sizeof(struct bucket),
						   htab->map.numa_node);
	}

This is safe because of the above check.

	static int prealloc_init(struct bpf_htab *htab)
	{
		u32 num_entries = htab->map.max_entries;
		htab->elems = bpf_map_area_alloc(htab->elem_size * num_entries,
						 htab->map.numa_node);
	}

This is not safe since there is no limit check in elem_size.
So sorry but I rechecked and saw this bug in hashtab has been fixed with commit
e1868b9e36d0ca

Thank you,
Quang Minh.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help