* [PATCH bpf] bpf: fix integer overflow in queue_stack_map
@ 2018-11-22 18:49 Alexei Starovoitov
2018-11-22 20:38 ` Daniel Borkmann
0 siblings, 1 reply; 2+ messages in thread
From: Alexei Starovoitov @ 2018-11-22 18:49 UTC (permalink / raw)
To: David S . Miller
Cc: daniel, torvalds, mauricio.vasquez, ww9210, netdev, kernel-team
fix the following issues:
- allow queue_stack_map for root only
- fix u32 max_entries overflow
- disallow value_size == 0
Reported-by: Wei Wu <ww9210@gmail.com>
Fixes: f1a2e44a3aec ("bpf: add queue and stack maps")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
kernel/bpf/queue_stack_maps.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
index 8bbd72d3a121..b384ea9f3254 100644
--- a/kernel/bpf/queue_stack_maps.c
+++ b/kernel/bpf/queue_stack_maps.c
@@ -7,6 +7,7 @@
#include <linux/bpf.h>
#include <linux/list.h>
#include <linux/slab.h>
+#include <linux/capability.h>
#include "percpu_freelist.h"
#define QUEUE_STACK_CREATE_FLAG_MASK \
@@ -45,8 +46,12 @@ static bool queue_stack_map_is_full(struct bpf_queue_stack *qs)
/* Called from syscall */
static int queue_stack_map_alloc_check(union bpf_attr *attr)
{
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
/* check sanity of attributes */
if (attr->max_entries == 0 || attr->key_size != 0 ||
+ attr->value_size == 0 ||
attr->map_flags & ~QUEUE_STACK_CREATE_FLAG_MASK)
return -EINVAL;
@@ -63,15 +68,10 @@ static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr)
{
int ret, numa_node = bpf_map_attr_numa_node(attr);
struct bpf_queue_stack *qs;
- u32 size, value_size;
- u64 queue_size, cost;
-
- size = attr->max_entries + 1;
- value_size = attr->value_size;
-
- queue_size = sizeof(*qs) + (u64) value_size * size;
+ u64 size, queue_size, cost;
- cost = queue_size;
+ size = (u64) attr->max_entries + 1;
+ cost = queue_size = sizeof(*qs) + size * attr->value_size;
if (cost >= U32_MAX - PAGE_SIZE)
return ERR_PTR(-E2BIG);
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH bpf] bpf: fix integer overflow in queue_stack_map
2018-11-22 18:49 [PATCH bpf] bpf: fix integer overflow in queue_stack_map Alexei Starovoitov
@ 2018-11-22 20:38 ` Daniel Borkmann
0 siblings, 0 replies; 2+ messages in thread
From: Daniel Borkmann @ 2018-11-22 20:38 UTC (permalink / raw)
To: Alexei Starovoitov, David S . Miller
Cc: torvalds, mauricio.vasquez, ww9210, netdev, kernel-team
On 11/22/2018 07:49 PM, Alexei Starovoitov wrote:
> fix the following issues:
> - allow queue_stack_map for root only
> - fix u32 max_entries overflow
> - disallow value_size == 0
>
> Reported-by: Wei Wu <ww9210@gmail.com>
> Fixes: f1a2e44a3aec ("bpf: add queue and stack maps")
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Applied, thanks everyone!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-11-23 7:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-22 18:49 [PATCH bpf] bpf: fix integer overflow in queue_stack_map Alexei Starovoitov
2018-11-22 20:38 ` Daniel Borkmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.