* [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc.
@ 2018-11-22 15:59 Wei Wu
2018-11-22 16:04 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Wei Wu @ 2018-11-22 15:59 UTC (permalink / raw)
To: Alexei Starovoitov; +Cc: Daniel Borkmann, netdev, Eric Dumazet, Greg KH
Integer overflow in queue_stack_map_alloc when calculating size may
lead to heap overflow of arbitrary length.
The patch fix it by checking whether attr->max_entries+1 <
attr->max_entries and bailing out if it is the case.
The vulnerability is discovered with the assistance of syzkaller.
Reported-by: Wei Wu <ww9210@gmail.com>
To: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: netdev <netdev@vger.kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Wei Wu <ww9210@gmail.com>
---
kernel/bpf/queue_stack_maps.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
index 8bbd72d3a121..c35a8a4721c8 100644
--- a/kernel/bpf/queue_stack_maps.c
+++ b/kernel/bpf/queue_stack_maps.c
@@ -67,6 +67,8 @@ static struct bpf_map *queue_stack_map_alloc(union
bpf_attr *attr)
u64 queue_size, cost;
size = attr->max_entries + 1;
+ if (size < attr->max_entries)
+ return ERR_PTR(-EINVAL);
value_size = attr->value_size;
queue_size = sizeof(*qs) + (u64) value_size * size;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc.
2018-11-22 15:59 [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc Wei Wu
@ 2018-11-22 16:04 ` Greg KH
0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2018-11-22 16:04 UTC (permalink / raw)
To: Wei Wu; +Cc: Alexei Starovoitov, Daniel Borkmann, netdev, Eric Dumazet
On Thu, Nov 22, 2018 at 11:59:02PM +0800, Wei Wu wrote:
> Integer overflow in queue_stack_map_alloc when calculating size may
> lead to heap overflow of arbitrary length.
> The patch fix it by checking whether attr->max_entries+1 <
> attr->max_entries and bailing out if it is the case.
> The vulnerability is discovered with the assistance of syzkaller.
>
> Reported-by: Wei Wu <ww9210@gmail.com>
> To: Alexei Starovoitov <ast@kernel.org>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: netdev <netdev@vger.kernel.org>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Wei Wu <ww9210@gmail.com>
> ---
> kernel/bpf/queue_stack_maps.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
> index 8bbd72d3a121..c35a8a4721c8 100644
> --- a/kernel/bpf/queue_stack_maps.c
> +++ b/kernel/bpf/queue_stack_maps.c
> @@ -67,6 +67,8 @@ static struct bpf_map *queue_stack_map_alloc(union
> bpf_attr *attr)
> u64 queue_size, cost;
>
> size = attr->max_entries + 1;
> + if (size < attr->max_entries)
> + return ERR_PTR(-EINVAL);
> value_size = attr->value_size;
Your tabs got eaten by your email client and they all disappeared,
making the patch impossible to apply :(
Care to try again?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc.
@ 2018-11-22 16:35 ww9210
0 siblings, 0 replies; 3+ messages in thread
From: ww9210 @ 2018-11-22 16:35 UTC (permalink / raw)
To: Alexei Starovoitov; +Cc: Daniel Borkmann, netdev, Eric Dumazet, Greg KH, ww9210
Integer overflow in queue_stack_map_alloc when calculating size may lead to heap overflow of arbitrary length.
The patch fix it by checking whether attr->max_entries+1 < attr->max_entries and bailing out if it is the case.
The vulnerability is discovered with the assistance of syzkaller.
Reported-by: Wei Wu <ww9210@gmail.com>
To: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: netdev <netdev@vger.kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Wei Wu <ww9210@gmail.com>
---
kernel/bpf/queue_stack_maps.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
index 8bbd72d3a121..c35a8a4721c8 100644
--- a/kernel/bpf/queue_stack_maps.c
+++ b/kernel/bpf/queue_stack_maps.c
@@ -67,6 +67,8 @@ static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr)
u64 queue_size, cost;
size = attr->max_entries + 1;
+ if (size < attr->max_entries)
+ return ERR_PTR(-EINVAL);
value_size = attr->value_size;
queue_size = sizeof(*qs) + (u64) value_size * size;
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-11-23 3:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-22 15:59 [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc Wei Wu
2018-11-22 16:04 ` Greg KH
2018-11-22 16:35 ww9210
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.