Re: [PATCH 2/2] bpf: cgroup: Fix problematic bounds check
From: Stanislav Fomichev <hidden>
Date: 2021-01-22 17:06:52
Also in:
bpf
From: Stanislav Fomichev <hidden>
Date: 2021-01-22 17:06:52
Also in:
bpf
On Fri, Jan 22, 2021 at 8:43 AM Loris Reiff [off-list ref] wrote:
Since ctx.optlen is signed, a larger value than max_value could be passed, as it is later on used as unsigned, which causes a WARN_ON_ONCE in the copy_to_user. Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") Signed-off-by: Loris Reiff <redacted> --- kernel/bpf/cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 6ec8f02f4..6aa9e10c6 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c@@ -1464,7 +1464,7 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level, goto out; } - if (ctx.optlen > max_optlen) { + if (ctx.optlen > max_optlen || ctx.optlen < 0) { ret = -EFAULT; goto out; } --2.29.2
Thanks! I assume this is only an issue if the BPF program is written incorrectly. Reviewed-by: Stanislav Fomichev <redacted>