From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Bixuan Cui <cuibixuan@huawei.com>,
syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com,
Alexei Starovoitov <ast@kernel.org>, Yonghong Song <yhs@fb.com>,
Sasha Levin <sashal@kernel.org>,
daniel@iogearbox.net, andrii@kernel.org, netdev@vger.kernel.org,
bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 06/19] bpf: Add oversize check before call kvcalloc()
Date: Wed, 22 Sep 2021 23:38:40 -0400 [thread overview]
Message-ID: <20210923033853.1421193-6-sashal@kernel.org> (raw)
In-Reply-To: <20210923033853.1421193-1-sashal@kernel.org>
From: Bixuan Cui <cuibixuan@huawei.com>
[ Upstream commit 0e6491b559704da720f6da09dd0a52c4df44c514 ]
Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the
oversize check. When the allocation is larger than what kmalloc() supports,
the following warning triggered:
WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597
Modules linked in:
CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597
Call Trace:
kvmalloc include/linux/mm.h:806 [inline]
kvmalloc_array include/linux/mm.h:824 [inline]
kvcalloc include/linux/mm.h:829 [inline]
check_btf_line kernel/bpf/verifier.c:9925 [inline]
check_btf_info kernel/bpf/verifier.c:10049 [inline]
bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759
bpf_prog_load kernel/bpf/syscall.c:2301 [inline]
__sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587
__do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 60383b28549b..9c5fa5c52903 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6839,6 +6839,8 @@ static int check_btf_line(struct bpf_verifier_env *env,
nr_linfo = attr->line_info_cnt;
if (!nr_linfo)
return 0;
+ if (nr_linfo > INT_MAX / sizeof(struct bpf_line_info))
+ return -EINVAL;
rec_size = attr->line_info_rec_size;
if (rec_size < MIN_BPF_LINEINFO_SIZE ||
--
2.30.2
next prev parent reply other threads:[~2021-09-23 3:40 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-23 3:38 [PATCH AUTOSEL 5.4 01/19] ibmvnic: check failover_pending in login response Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 02/19] net: macb: fix use after free on rmmod Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 03/19] net: stmmac: allow CSR clock of 300MHz Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 04/19] m68k: Double cast io functions to unsigned long Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 05/19] ipv6: delay fib6_sernum increase in fib6_add Sasha Levin
2021-09-23 3:38 ` Sasha Levin [this message]
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 07/19] xen/balloon: use a kernel thread instead a workqueue Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 08/19] nvme-multipath: fix ANA state updates when a namespace is not present Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 09/19] sparc32: page align size in arch_dma_alloc Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 10/19] blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 11/19] compiler.h: Introduce absolute_pointer macro Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 12/19] net: i825xx: Use absolute_pointer for memcpy from fixed memory location Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 13/19] sparc: avoid stringop-overread errors Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 14/19] qnx4: " Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 15/19] parisc: Use absolute_pointer() to define PAGE0 Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 16/19] arm64: Mark __stack_chk_guard as __ro_after_init Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 17/19] alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 18/19] net: 6pack: Fix tx timeout and slot time Sasha Levin
2021-09-23 3:38 ` [PATCH AUTOSEL 5.4 19/19] spi: Fix tegra20 build with CONFIG_PM=n Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210923033853.1421193-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=cuibixuan@huawei.com \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).