From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Bixuan Cui <cuibixuan@huawei.com>,
syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com,
Alexei Starovoitov <ast@kernel.org>, Yonghong Song <yhs@fb.com>,
Sasha Levin <sashal@kernel.org>,
daniel@iogearbox.net, andrii@kernel.org, netdev@vger.kernel.org,
bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 06/19] bpf: Add oversize check before call kvcalloc()
Date: Wed, 22 Sep 2021 23:38:40 -0400 [thread overview]
Message-ID: <20210923033853.1421193-6-sashal@kernel.org> (raw)
In-Reply-To: <20210923033853.1421193-1-sashal@kernel.org>
From: Bixuan Cui <cuibixuan@huawei.com>
[ Upstream commit 0e6491b559704da720f6da09dd0a52c4df44c514 ]
Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the
oversize check. When the allocation is larger than what kmalloc() supports,
the following warning triggered:
WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597
Modules linked in:
CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597
Call Trace:
kvmalloc include/linux/mm.h:806 [inline]
kvmalloc_array include/linux/mm.h:824 [inline]
kvcalloc include/linux/mm.h:829 [inline]
check_btf_line kernel/bpf/verifier.c:9925 [inline]
check_btf_info kernel/bpf/verifier.c:10049 [inline]
bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759
bpf_prog_load kernel/bpf/syscall.c:2301 [inline]
__sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587
__do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 60383b28549b..9c5fa5c52903 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6839,6 +6839,8 @@ static int check_btf_line(struct bpf_verifier_env *env,
nr_linfo = attr->line_info_cnt;
if (!nr_linfo)
return 0;
+ if (nr_linfo > INT_MAX / sizeof(struct bpf_line_info))
+ return -EINVAL;
rec_size = attr->line_info_rec_size;
if (rec_size < MIN_BPF_LINEINFO_SIZE ||
--
2.30.2
next prev parent reply other threads:[~2021-09-23 3:40 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-23 3:38 [PATCH AUTOSEL 5.4 01/19] ibmvnic: check failover_pending in login response Sasha Levin
2021-09-23 3:38 ` Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 02/19] net: macb: fix use after free on rmmod Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 03/19] net: stmmac: allow CSR clock of 300MHz Sasha Levin
2021-09-23 3:38 ` Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 04/19] m68k: Double cast io functions to unsigned long Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 05/19] ipv6: delay fib6_sernum increase in fib6_add Sasha Levin
2021-09-23 3:38 ` Sasha Levin [this message]
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 07/19] xen/balloon: use a kernel thread instead a workqueue Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 08/19] nvme-multipath: fix ANA state updates when a namespace is not present Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 09/19] sparc32: page align size in arch_dma_alloc Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 10/19] blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd Sasha Levin
2021-09-23 3:38 ` Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 11/19] compiler.h: Introduce absolute_pointer macro Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 12/19] net: i825xx: Use absolute_pointer for memcpy from fixed memory location Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 13/19] sparc: avoid stringop-overread errors Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 14/19] qnx4: " Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 15/19] parisc: Use absolute_pointer() to define PAGE0 Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 16/19] arm64: Mark __stack_chk_guard as __ro_after_init Sasha Levin
2021-09-23 3:38 ` Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 17/19] alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 18/19] net: 6pack: Fix tx timeout and slot time Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 19/19] spi: Fix tegra20 build with CONFIG_PM=n Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210923033853.1421193-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=cuibixuan@huawei.com \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.