Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2018-01-12 17:34:16 +0100
committerJiri Slaby <jslaby@suse.cz>2018-01-14 16:53:08 +0100
commit121ea2e4fb273ff91ddcf2ceb3e6c78aca3025b1 (patch)
treeba5e47bf5be116a9ba2542c41f59f8341a32cb47
parent5f23d516277274e9350da376a403d82157c1576f (diff)
bpf, array: fix overflow in max_entries and undefined behaviorrpm-4.12.14-8--SLE-15-Packages-Beta5rpm-4.12.14-8
in index_mask (bsc#1068032 CVE-2017-5753). suse-commit: e1fc2a6b15657d349e7cdd5929fa71356b43d50a
-rw-r--r--kernel/bpf/arraymap.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 91198cb3b8dc..eb0bb956b429 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -52,7 +52,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
u32 elem_size, index_mask, max_entries;
bool unpriv = !capable(CAP_SYS_ADMIN);
struct bpf_array *array;
- u64 array_size;
+ u64 array_size, mask64;
/* check sanity of attributes */
if (attr->max_entries == 0 || attr->key_size != 4 ||
@@ -68,13 +68,25 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
elem_size = round_up(attr->value_size, 8);
max_entries = attr->max_entries;
- index_mask = roundup_pow_of_two(max_entries) - 1;
- if (unpriv)
+ /* On 32 bit archs roundup_pow_of_two() with max_entries that has
+ * upper most bit set in u32 space is undefined behavior due to
+ * resulting 1U << 32, so do it manually here in u64 space.
+ */
+ mask64 = fls_long(max_entries - 1);
+ mask64 = 1ULL << mask64;
+ mask64 -= 1;
+
+ index_mask = mask64;
+ if (unpriv) {
/* round up array size to nearest power of 2,
* since cpu will speculate within index_mask limits
*/
max_entries = index_mask + 1;
+ /* Check for overflows. */
+ if (max_entries < attr->max_entries)
+ return ERR_PTR(-E2BIG);
+ }
array_size = sizeof(*array);
if (percpu)