From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wei Wu Subject: [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc. Date: Thu, 22 Nov 2018 23:59:02 +0800 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Cc: Daniel Borkmann , netdev , Eric Dumazet , Greg KH To: Alexei Starovoitov Return-path: Received: from mail-qt1-f193.google.com ([209.85.160.193]:36314 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2438015AbeKWCjL (ORCPT ); Thu, 22 Nov 2018 21:39:11 -0500 Received: by mail-qt1-f193.google.com with SMTP id t13so7864060qtn.3 for ; Thu, 22 Nov 2018 07:59:14 -0800 (PST) Sender: netdev-owner@vger.kernel.org List-ID: Integer overflow in queue_stack_map_alloc when calculating size may lead to heap overflow of arbitrary length. The patch fix it by checking whether attr->max_entries+1 < attr->max_entries and bailing out if it is the case. The vulnerability is discovered with the assistance of syzkaller. Reported-by: Wei Wu To: Alexei Starovoitov Cc: Daniel Borkmann Cc: netdev Cc: Eric Dumazet Cc: Greg KH Signed-off-by: Wei Wu --- kernel/bpf/queue_stack_maps.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c index 8bbd72d3a121..c35a8a4721c8 100644 --- a/kernel/bpf/queue_stack_maps.c +++ b/kernel/bpf/queue_stack_maps.c @@ -67,6 +67,8 @@ static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr) u64 queue_size, cost; size = attr->max_entries + 1; + if (size < attr->max_entries) + return ERR_PTR(-EINVAL); value_size = attr->value_size; queue_size = sizeof(*qs) + (u64) value_size * size;