Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 813961de authored by Alexei Starovoitov's avatar Alexei Starovoitov Committed by Daniel Borkmann
Browse files

bpf: fix integer overflow in queue_stack_map 



Fix the following issues:

- allow queue_stack_map for root only
- fix u32 max_entries overflow
- disallow value_size == 0

Fixes: f1a2e44a ("bpf: add queue and stack maps")
Reported-by: default avatarWei Wu <ww9210@gmail.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Cc: Mauricio Vasquez B <mauricio.vasquez@polito.it>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
parent dde7011a

kernel/bpf/queue_stack_maps.c

+8 −8
Original line number Diff line number Diff line
@@ -7,6 +7,7 @@ 
#include <linux/bpf.h>

#include <linux/list.h>

#include <linux/slab.h>

#include <linux/capability.h>

#include "percpu_freelist.h"



#define QUEUE_STACK_CREATE_FLAG_MASK \
@@ -45,8 +46,12 @@ static bool queue_stack_map_is_full(struct bpf_queue_stack *qs) 
/* Called from syscall */

static int queue_stack_map_alloc_check(union bpf_attr *attr)

{

	if (!capable(CAP_SYS_ADMIN))

		return -EPERM;



	/* check sanity of attributes */

	if (attr->max_entries == 0 || attr->key_size != 0 ||

	    attr->value_size == 0 ||

	    attr->map_flags & ~QUEUE_STACK_CREATE_FLAG_MASK)

		return -EINVAL;
@@ -63,15 +68,10 @@ static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr) 
{

	int ret, numa_node = bpf_map_attr_numa_node(attr);

	struct bpf_queue_stack *qs;

	u32 size, value_size;

	u64 queue_size, cost;



	size = attr->max_entries + 1;

	value_size = attr->value_size;



	queue_size = sizeof(*qs) + (u64) value_size * size;

	u64 size, queue_size, cost;



	cost = queue_size;

	size = (u64) attr->max_entries + 1;

	cost = queue_size = sizeof(*qs) + size * attr->value_size;

	if (cost >= U32_MAX - PAGE_SIZE)

		return ERR_PTR(-E2BIG);