From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexei Starovoitov Subject: Re: [PATCH bpf] bpf, array: fix overflow in max_entries and undefined behavior in index_mask Date: Wed, 10 Jan 2018 14:58:09 -0800 Message-ID: <20180110225808.w4cypcqsmayec67b@ast-mbp> References: <20180110222505.4845-1-daniel@iogearbox.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: ast@fb.com, netdev@vger.kernel.org To: Daniel Borkmann Return-path: Received: from mail-pg0-f50.google.com ([74.125.83.50]:35325 "EHLO mail-pg0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752273AbeAJW6M (ORCPT ); Wed, 10 Jan 2018 17:58:12 -0500 Received: by mail-pg0-f50.google.com with SMTP id d6so944965pgv.2 for ; Wed, 10 Jan 2018 14:58:11 -0800 (PST) Content-Disposition: inline In-Reply-To: <20180110222505.4845-1-daniel@iogearbox.net> Sender: netdev-owner@vger.kernel.org List-ID: On Wed, Jan 10, 2018 at 11:25:05PM +0100, Daniel Borkmann wrote: > syzkaller tried to alloc a map with 0xfffffffd entries out of a userns, > and thus unprivileged. With the recently added logic in b2157399cc98 > ("bpf: prevent out-of-bounds speculation") we round this up to the next > power of two value for max_entries for unprivileged such that we can > apply proper masking into potentially zeroed out map slots. > > However, this will generate an index_mask of 0xffffffff, and therefore > a + 1 will let this overflow into new max_entries of 0. This will pass > allocation, etc, and later on map access we still enforce on the original > attr->max_entries value which was 0xfffffffd, therefore triggering GPF > all over the place. Thus bail out on overflow in such case. > > Moreover, on 32 bit archs roundup_pow_of_two() can also not be used, > since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit > space is undefined. Therefore, do this by hand in a 64 bit variable. > > This fixes all the issues triggered by syzkaller's reproducers. > > Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation") > Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com > Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com > Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com > Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com > Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com > Signed-off-by: Daniel Borkmann Applied, thank you Daniel.