diff options
| author | Alexei Starovoitov <ast@kernel.org> | 2024-03-07 20:02:39 -0800 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2024-03-07 20:06:32 -0800 |
| commit | a27e89673abf1623c298ea84eaa03f4c57aeca1b (patch) | |
| tree | 055be779382b86723c540e8c180876dd163b4826 /kernel/bpf/devmap.c | |
| parent | c7d4274e90a1e7aa43d11d2a16066cbbe610070e (diff) | |
| parent | 7a4b21250bf79eef26543d35bd390448646c536b (diff) | |
Merge branch 'fix-hash-bucket-overflow-checks-for-32-bit-arches'
Toke Høiland-Jørgensen says:
====================
Fix hash bucket overflow checks for 32-bit arches
Syzbot managed to trigger a crash by creating a DEVMAP_HASH map with a
large number of buckets because the overflow check relies on
well-defined behaviour that is only correct on 64-bit arches.
Fix the overflow checks to happen before values are rounded up in all
the affected map types.
v3:
- Keep the htab->n_buckets > U32_MAX / sizeof(struct bucket) check
- Use 1UL << 31 instead of U32_MAX / 2 + 1 as the constant to check
against
- Add patch to fix stackmap.c
v2:
- Fix off-by-one error in overflow check
- Apply the same fix to hashtab, where the devmap_hash code was copied
from (John)
Toke Høiland-Jørgensen (3):
bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
bpf: Fix hashtab overflow check on 32-bit arches
bpf: Fix stackmap overflow check on 32-bit arches
kernel/bpf/devmap.c | 11 ++++++-----
kernel/bpf/hashtab.c | 14 +++++++++-----
kernel/bpf/stackmap.c | 9 ++++++---
3 files changed, 21 insertions(+), 13 deletions(-)
====================
Link: https://lore.kernel.org/r/20240307120340.99577-1-toke@redhat.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'kernel/bpf/devmap.c')
| -rw-r--r-- | kernel/bpf/devmap.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index a936c704d4e7..4e2cdbb5629f 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -130,13 +130,14 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) bpf_map_init_from_attr(&dtab->map, attr); if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { - dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); - - if (!dtab->n_buckets) /* Overflow check */ + /* hash table size must be power of 2; roundup_pow_of_two() can + * overflow into UB on 32-bit arches, so check that first + */ + if (dtab->map.max_entries > 1UL << 31) return -EINVAL; - } - if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { + dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); + dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets, dtab->map.numa_node); if (!dtab->dev_index_head) |