All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc.
@ 2018-11-22 15:59 Wei Wu
  2018-11-22 16:04 ` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: Wei Wu @ 2018-11-22 15:59 UTC (permalink / raw)
  To: Alexei Starovoitov; +Cc: Daniel Borkmann, netdev, Eric Dumazet, Greg KH

Integer overflow in queue_stack_map_alloc when calculating size may
lead to heap overflow of arbitrary length.
The patch fix it by checking whether attr->max_entries+1 <
attr->max_entries and bailing out if it is the case.
The vulnerability is discovered with the assistance of syzkaller.

Reported-by: Wei Wu <ww9210@gmail.com>
To: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: netdev <netdev@vger.kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Wei Wu <ww9210@gmail.com>
---
 kernel/bpf/queue_stack_maps.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
index 8bbd72d3a121..c35a8a4721c8 100644
--- a/kernel/bpf/queue_stack_maps.c
+++ b/kernel/bpf/queue_stack_maps.c
@@ -67,6 +67,8 @@ static struct bpf_map *queue_stack_map_alloc(union
bpf_attr *attr)
  u64 queue_size, cost;

  size = attr->max_entries + 1;
+ if (size < attr->max_entries)
+ return ERR_PTR(-EINVAL);
  value_size = attr->value_size;

  queue_size = sizeof(*qs) + (u64) value_size * size;

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc.
  2018-11-22 15:59 [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc Wei Wu
@ 2018-11-22 16:04 ` Greg KH
  0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2018-11-22 16:04 UTC (permalink / raw)
  To: Wei Wu; +Cc: Alexei Starovoitov, Daniel Borkmann, netdev, Eric Dumazet

On Thu, Nov 22, 2018 at 11:59:02PM +0800, Wei Wu wrote:
> Integer overflow in queue_stack_map_alloc when calculating size may
> lead to heap overflow of arbitrary length.
> The patch fix it by checking whether attr->max_entries+1 <
> attr->max_entries and bailing out if it is the case.
> The vulnerability is discovered with the assistance of syzkaller.
> 
> Reported-by: Wei Wu <ww9210@gmail.com>
> To: Alexei Starovoitov <ast@kernel.org>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: netdev <netdev@vger.kernel.org>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Wei Wu <ww9210@gmail.com>
> ---
>  kernel/bpf/queue_stack_maps.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
> index 8bbd72d3a121..c35a8a4721c8 100644
> --- a/kernel/bpf/queue_stack_maps.c
> +++ b/kernel/bpf/queue_stack_maps.c
> @@ -67,6 +67,8 @@ static struct bpf_map *queue_stack_map_alloc(union
> bpf_attr *attr)
>   u64 queue_size, cost;
> 
>   size = attr->max_entries + 1;
> + if (size < attr->max_entries)
> + return ERR_PTR(-EINVAL);
>   value_size = attr->value_size;

Your tabs got eaten by your email client and they all disappeared,
making the patch impossible to apply :(

Care to try again?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc.
@ 2018-11-22 16:35 ww9210
  0 siblings, 0 replies; 3+ messages in thread
From: ww9210 @ 2018-11-22 16:35 UTC (permalink / raw)
  To: Alexei Starovoitov; +Cc: Daniel Borkmann, netdev, Eric Dumazet, Greg KH, ww9210

Integer overflow in queue_stack_map_alloc when calculating size may lead to heap overflow of arbitrary length.
The patch fix it by checking whether attr->max_entries+1 < attr->max_entries and bailing out if it is the case.
The vulnerability is discovered with the assistance of syzkaller.

Reported-by: Wei Wu <ww9210@gmail.com>
To: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: netdev <netdev@vger.kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Wei Wu <ww9210@gmail.com>
---
 kernel/bpf/queue_stack_maps.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
index 8bbd72d3a121..c35a8a4721c8 100644
--- a/kernel/bpf/queue_stack_maps.c
+++ b/kernel/bpf/queue_stack_maps.c
@@ -67,6 +67,8 @@ static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr)
 	u64 queue_size, cost;
 
 	size = attr->max_entries + 1;
+	if (size < attr->max_entries)
+		return ERR_PTR(-EINVAL);
 	value_size = attr->value_size;
 
 	queue_size = sizeof(*qs) + (u64) value_size * size;
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-11-23  3:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-22 15:59 [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc Wei Wu
2018-11-22 16:04 ` Greg KH
2018-11-22 16:35 ww9210

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.