* [PATCH bpf] bpf, array: fix overflow in max_entries and undefined behavior in index_mask
@ 2018-01-10 22:25 Daniel Borkmann
2018-01-10 22:58 ` Alexei Starovoitov
0 siblings, 1 reply; 2+ messages in thread
From: Daniel Borkmann @ 2018-01-10 22:25 UTC (permalink / raw)
To: ast; +Cc: netdev, Daniel Borkmann
syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
and thus unprivileged. With the recently added logic in b2157399cc98
("bpf: prevent out-of-bounds speculation") we round this up to the next
power of two value for max_entries for unprivileged such that we can
apply proper masking into potentially zeroed out map slots.
However, this will generate an index_mask of 0xffffffff, and therefore
a + 1 will let this overflow into new max_entries of 0. This will pass
allocation, etc, and later on map access we still enforce on the original
attr->max_entries value which was 0xfffffffd, therefore triggering GPF
all over the place. Thus bail out on overflow in such case.
Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
space is undefined. Therefore, do this by hand in a 64 bit variable.
This fixes all the issues triggered by syzkaller's reproducers.
Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation")
Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com
Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com
Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com
Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com
Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
kernel/bpf/arraymap.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index aaa3198..ab94d30 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -56,7 +56,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
u32 elem_size, index_mask, max_entries;
bool unpriv = !capable(CAP_SYS_ADMIN);
struct bpf_array *array;
- u64 array_size;
+ u64 array_size, mask64;
/* check sanity of attributes */
if (attr->max_entries == 0 || attr->key_size != 4 ||
@@ -74,13 +74,25 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
elem_size = round_up(attr->value_size, 8);
max_entries = attr->max_entries;
- index_mask = roundup_pow_of_two(max_entries) - 1;
- if (unpriv)
+ /* On 32 bit archs roundup_pow_of_two() with max_entries that has
+ * upper most bit set in u32 space is undefined behavior due to
+ * resulting 1U << 32, so do it manually here in u64 space.
+ */
+ mask64 = fls_long(max_entries - 1);
+ mask64 = 1ULL << mask64;
+ mask64 -= 1;
+
+ index_mask = mask64;
+ if (unpriv) {
/* round up array size to nearest power of 2,
* since cpu will speculate within index_mask limits
*/
max_entries = index_mask + 1;
+ /* Check for overflows. */
+ if (max_entries < attr->max_entries)
+ return ERR_PTR(-E2BIG);
+ }
array_size = sizeof(*array);
if (percpu)
--
2.9.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH bpf] bpf, array: fix overflow in max_entries and undefined behavior in index_mask
2018-01-10 22:25 [PATCH bpf] bpf, array: fix overflow in max_entries and undefined behavior in index_mask Daniel Borkmann
@ 2018-01-10 22:58 ` Alexei Starovoitov
0 siblings, 0 replies; 2+ messages in thread
From: Alexei Starovoitov @ 2018-01-10 22:58 UTC (permalink / raw)
To: Daniel Borkmann; +Cc: ast, netdev
On Wed, Jan 10, 2018 at 11:25:05PM +0100, Daniel Borkmann wrote:
> syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
> and thus unprivileged. With the recently added logic in b2157399cc98
> ("bpf: prevent out-of-bounds speculation") we round this up to the next
> power of two value for max_entries for unprivileged such that we can
> apply proper masking into potentially zeroed out map slots.
>
> However, this will generate an index_mask of 0xffffffff, and therefore
> a + 1 will let this overflow into new max_entries of 0. This will pass
> allocation, etc, and later on map access we still enforce on the original
> attr->max_entries value which was 0xfffffffd, therefore triggering GPF
> all over the place. Thus bail out on overflow in such case.
>
> Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
> since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
> space is undefined. Therefore, do this by hand in a 64 bit variable.
>
> This fixes all the issues triggered by syzkaller's reproducers.
>
> Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation")
> Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com
> Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com
> Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com
> Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com
> Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Applied, thank you Daniel.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-01-10 22:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-10 22:25 [PATCH bpf] bpf, array: fix overflow in max_entries and undefined behavior in index_mask Daniel Borkmann
2018-01-10 22:58 ` Alexei Starovoitov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.