All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH bpf] bpf: fix integer overflow in queue_stack_map
@ 2018-11-22 18:49 Alexei Starovoitov
  2018-11-22 20:38 ` Daniel Borkmann
  0 siblings, 1 reply; 2+ messages in thread
From: Alexei Starovoitov @ 2018-11-22 18:49 UTC (permalink / raw)
  To: David S . Miller
  Cc: daniel, torvalds, mauricio.vasquez, ww9210, netdev, kernel-team

fix the following issues:
- allow queue_stack_map for root only
- fix u32 max_entries overflow
- disallow value_size == 0

Reported-by: Wei Wu <ww9210@gmail.com>
Fixes: f1a2e44a3aec ("bpf: add queue and stack maps")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
 kernel/bpf/queue_stack_maps.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
index 8bbd72d3a121..b384ea9f3254 100644
--- a/kernel/bpf/queue_stack_maps.c
+++ b/kernel/bpf/queue_stack_maps.c
@@ -7,6 +7,7 @@
 #include <linux/bpf.h>
 #include <linux/list.h>
 #include <linux/slab.h>
+#include <linux/capability.h>
 #include "percpu_freelist.h"
 
 #define QUEUE_STACK_CREATE_FLAG_MASK \
@@ -45,8 +46,12 @@ static bool queue_stack_map_is_full(struct bpf_queue_stack *qs)
 /* Called from syscall */
 static int queue_stack_map_alloc_check(union bpf_attr *attr)
 {
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	/* check sanity of attributes */
 	if (attr->max_entries == 0 || attr->key_size != 0 ||
+	    attr->value_size == 0 ||
 	    attr->map_flags & ~QUEUE_STACK_CREATE_FLAG_MASK)
 		return -EINVAL;
 
@@ -63,15 +68,10 @@ static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr)
 {
 	int ret, numa_node = bpf_map_attr_numa_node(attr);
 	struct bpf_queue_stack *qs;
-	u32 size, value_size;
-	u64 queue_size, cost;
-
-	size = attr->max_entries + 1;
-	value_size = attr->value_size;
-
-	queue_size = sizeof(*qs) + (u64) value_size * size;
+	u64 size, queue_size, cost;
 
-	cost = queue_size;
+	size = (u64) attr->max_entries + 1;
+	cost = queue_size = sizeof(*qs) + size * attr->value_size;
 	if (cost >= U32_MAX - PAGE_SIZE)
 		return ERR_PTR(-E2BIG);
 
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH bpf] bpf: fix integer overflow in queue_stack_map
  2018-11-22 18:49 [PATCH bpf] bpf: fix integer overflow in queue_stack_map Alexei Starovoitov
@ 2018-11-22 20:38 ` Daniel Borkmann
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Borkmann @ 2018-11-22 20:38 UTC (permalink / raw)
  To: Alexei Starovoitov, David S . Miller
  Cc: torvalds, mauricio.vasquez, ww9210, netdev, kernel-team

On 11/22/2018 07:49 PM, Alexei Starovoitov wrote:
> fix the following issues:
> - allow queue_stack_map for root only
> - fix u32 max_entries overflow
> - disallow value_size == 0
> 
> Reported-by: Wei Wu <ww9210@gmail.com>
> Fixes: f1a2e44a3aec ("bpf: add queue and stack maps")
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Applied, thanks everyone!

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-11-23  7:19 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-22 18:49 [PATCH bpf] bpf: fix integer overflow in queue_stack_map Alexei Starovoitov
2018-11-22 20:38 ` Daniel Borkmann

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.