Home| summaryrefslogtreecommitdiff |
diff options
| author | Jiri Slaby <jslaby@suse.cz> | 2018-01-12 17:34:16 +0100 |
|---|---|---|
| committer | Jiri Slaby <jslaby@suse.cz> | 2018-01-12 17:35:09 +0100 |
| commit | 30459072a60bc8b8f281b9170fc894f7cc3abc01 (patch) | |
| tree | 5306c6841d47de9ce265c274def8e4bb3312dd2d | |
| parent | 9270e0e8090984ef1556414d038ef00fce175e4f (diff) | |
bpf, array: fix overflow in max_entries and undefined behavior
in index_mask (bsc#1068032 CVE-2017-5753).
suse-commit: 3283516d37a349ceeb90630650c41e99f9c7593c
| -rw-r--r-- | kernel/bpf/arraymap.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c index 42a1227bf7ef..a4ae1ca44a57 100644 --- a/kernel/bpf/arraymap.c +++ b/kernel/bpf/arraymap.c @@ -53,7 +53,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) u32 elem_size, index_mask, max_entries; bool unpriv = !capable(CAP_SYS_ADMIN); struct bpf_array *array; - u64 array_size; + u64 array_size, mask64; /* check sanity of attributes */ if (attr->max_entries == 0 || attr->key_size != 4 || @@ -70,13 +70,25 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) elem_size = round_up(attr->value_size, 8); max_entries = attr->max_entries; - index_mask = roundup_pow_of_two(max_entries) - 1; - if (unpriv) + /* On 32 bit archs roundup_pow_of_two() with max_entries that has + * upper most bit set in u32 space is undefined behavior due to + * resulting 1U << 32, so do it manually here in u64 space. + */ + mask64 = fls_long(max_entries - 1); + mask64 = 1ULL << mask64; + mask64 -= 1; + + index_mask = mask64; + if (unpriv) { /* round up array size to nearest power of 2, * since cpu will speculate within index_mask limits */ max_entries = index_mask + 1; + /* Check for overflows. */ + if (max_entries < attr->max_entries) + return ERR_PTR(-E2BIG); + } array_size = sizeof(*array); if (percpu) |