* [PATCH v2] bpf: Fix integer overflow in prealloc_elems_and_freelist()
@ 2021-09-30 13:55 Tatsuhiko Yasumatsu
2021-09-30 16:20 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Tatsuhiko Yasumatsu @ 2021-09-30 13:55 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko
Cc: th.yasumatsu, Martin KaFai Lau, Song Liu, Yonghong Song,
John Fastabend, KP Singh, netdev, bpf, linux-kernel
In prealloc_elems_and_freelist(), the multiplication to calculate the
size passed to bpf_map_area_alloc() could lead to an integer overflow.
As a result, out-of-bounds write could occur in pcpu_freelist_populate()
as reported by KASAN:
[...]
[ 16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100
[ 16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78
[ 16.970038]
[ 16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1
[ 16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 16.972026] Call Trace:
[ 16.972306] dump_stack_lvl+0x34/0x44
[ 16.972687] print_address_description.constprop.0+0x21/0x140
[ 16.973297] ? pcpu_freelist_populate+0xd9/0x100
[ 16.973777] ? pcpu_freelist_populate+0xd9/0x100
[ 16.974257] kasan_report.cold+0x7f/0x11b
[ 16.974681] ? pcpu_freelist_populate+0xd9/0x100
[ 16.975190] pcpu_freelist_populate+0xd9/0x100
[ 16.975669] stack_map_alloc+0x209/0x2a0
[ 16.976106] __sys_bpf+0xd83/0x2ce0
[...]
The possibility of this overflow was originally discussed in [0], but
was overlooked.
Fix the integer overflow by changing elem_size to u64 from u32.
[0] https://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/
Fixes: 557c0c6e7df8 ("bpf: convert stackmap to pre-allocation")
Signed-off-by: Tatsuhiko Yasumatsu <th.yasumatsu@gmail.com>
---
- v2:
Fix the overflow by changing elem_size to u64,
instead of fixing it by casting one operand of the multiplication
which is passed to bpf_map_area_alloc().
kernel/bpf/stackmap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 09a3fd97d329..6e75bbee39f0 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -63,7 +63,8 @@ static inline int stack_map_data_size(struct bpf_map *map)
static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
{
- u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
+ u64 elem_size = sizeof(struct stack_map_bucket) +
+ (u64)smap->map.value_size;
int err;
smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries,
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] bpf: Fix integer overflow in prealloc_elems_and_freelist()
2021-09-30 13:55 [PATCH v2] bpf: Fix integer overflow in prealloc_elems_and_freelist() Tatsuhiko Yasumatsu
@ 2021-09-30 16:20 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-09-30 16:20 UTC (permalink / raw)
To: Tatsuhiko Yasumatsu
Cc: ast, daniel, andrii, kafai, songliubraving, yhs, john.fastabend,
kpsingh, netdev, bpf, linux-kernel
Hello:
This patch was applied to bpf/bpf.git (refs/heads/master):
On Thu, 30 Sep 2021 22:55:45 +0900 you wrote:
> In prealloc_elems_and_freelist(), the multiplication to calculate the
> size passed to bpf_map_area_alloc() could lead to an integer overflow.
> As a result, out-of-bounds write could occur in pcpu_freelist_populate()
> as reported by KASAN:
>
> [...]
> [ 16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100
> [ 16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78
> [ 16.970038]
> [ 16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1
> [ 16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> [ 16.972026] Call Trace:
> [ 16.972306] dump_stack_lvl+0x34/0x44
> [ 16.972687] print_address_description.constprop.0+0x21/0x140
> [ 16.973297] ? pcpu_freelist_populate+0xd9/0x100
> [ 16.973777] ? pcpu_freelist_populate+0xd9/0x100
> [ 16.974257] kasan_report.cold+0x7f/0x11b
> [ 16.974681] ? pcpu_freelist_populate+0xd9/0x100
> [ 16.975190] pcpu_freelist_populate+0xd9/0x100
> [ 16.975669] stack_map_alloc+0x209/0x2a0
> [ 16.976106] __sys_bpf+0xd83/0x2ce0
> [...]
>
> [...]
Here is the summary with links:
- [v2] bpf: Fix integer overflow in prealloc_elems_and_freelist()
https://git.kernel.org/bpf/bpf/c/30e29a9a2bc6
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-30 16:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-30 13:55 [PATCH v2] bpf: Fix integer overflow in prealloc_elems_and_freelist() Tatsuhiko Yasumatsu
2021-09-30 16:20 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).