From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: ast@fb.com, netdev@vger.kernel.org
Subject: Re: [PATCH bpf] bpf, array: fix overflow in max_entries and undefined behavior in index_mask
Date: Wed, 10 Jan 2018 14:58:09 -0800 [thread overview]
Message-ID: <20180110225808.w4cypcqsmayec67b@ast-mbp> (raw)
In-Reply-To: <20180110222505.4845-1-daniel@iogearbox.net>
On Wed, Jan 10, 2018 at 11:25:05PM +0100, Daniel Borkmann wrote:
> syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
> and thus unprivileged. With the recently added logic in b2157399cc98
> ("bpf: prevent out-of-bounds speculation") we round this up to the next
> power of two value for max_entries for unprivileged such that we can
> apply proper masking into potentially zeroed out map slots.
>
> However, this will generate an index_mask of 0xffffffff, and therefore
> a + 1 will let this overflow into new max_entries of 0. This will pass
> allocation, etc, and later on map access we still enforce on the original
> attr->max_entries value which was 0xfffffffd, therefore triggering GPF
> all over the place. Thus bail out on overflow in such case.
>
> Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
> since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
> space is undefined. Therefore, do this by hand in a 64 bit variable.
>
> This fixes all the issues triggered by syzkaller's reproducers.
>
> Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation")
> Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com
> Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com
> Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com
> Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com
> Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Applied, thank you Daniel.
prev parent reply other threads:[~2018-01-10 22:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-10 22:25 [PATCH bpf] bpf, array: fix overflow in max_entries and undefined behavior in index_mask Daniel Borkmann
2018-01-10 22:58 ` Alexei Starovoitov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180110225808.w4cypcqsmayec67b@ast-mbp \
--to=alexei.starovoitov@gmail.com \
--cc=ast@fb.com \
--cc=daniel@iogearbox.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.