From mboxrd@z Thu Jan 1 00:00:00 1970 From: Greg KH Subject: Re: [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc. Date: Thu, 22 Nov 2018 17:04:42 +0100 Message-ID: <20181122160442.GA25649@kroah.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Alexei Starovoitov , Daniel Borkmann , netdev , Eric Dumazet To: Wei Wu Return-path: Received: from out4-smtp.messagingengine.com ([66.111.4.28]:47789 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729773AbeKWCoo (ORCPT ); Thu, 22 Nov 2018 21:44:44 -0500 Content-Disposition: inline In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Thu, Nov 22, 2018 at 11:59:02PM +0800, Wei Wu wrote: > Integer overflow in queue_stack_map_alloc when calculating size may > lead to heap overflow of arbitrary length. > The patch fix it by checking whether attr->max_entries+1 < > attr->max_entries and bailing out if it is the case. > The vulnerability is discovered with the assistance of syzkaller. > > Reported-by: Wei Wu > To: Alexei Starovoitov > Cc: Daniel Borkmann > Cc: netdev > Cc: Eric Dumazet > Cc: Greg KH > Signed-off-by: Wei Wu > --- > kernel/bpf/queue_stack_maps.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c > index 8bbd72d3a121..c35a8a4721c8 100644 > --- a/kernel/bpf/queue_stack_maps.c > +++ b/kernel/bpf/queue_stack_maps.c > @@ -67,6 +67,8 @@ static struct bpf_map *queue_stack_map_alloc(union > bpf_attr *attr) > u64 queue_size, cost; > > size = attr->max_entries + 1; > + if (size < attr->max_entries) > + return ERR_PTR(-EINVAL); > value_size = attr->value_size; Your tabs got eaten by your email client and they all disappeared, making the patch impossible to apply :( Care to try again? thanks, greg k-h