release/5.2.37/libbpf-Fix-another-potential-overflow-issue-in-bpf_p.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From f31c6ef67f03747aab1a3bce2c31de6136c4a1bc Mon Sep 17 00:00:00 2001
 From: Andrii Nakryiko <andriin@fb.com>
 Date: Wed, 6 Nov 2019 18:08:53 -0800
 Subject: [PATCH] libbpf: Fix another potential overflow issue in
  bpf_prog_linfo

 commit dd3ab126379ec040b3edab8559f9c72de6ef9d29 upstream.

 Fix few issues found by Coverity and LGTM.

 Fixes: b053b439b72a ("bpf: libbpf: bpftool: Print bpf_line_info during prog dump")
 Signed-off-by: Andrii Nakryiko <andriin@fb.com>
 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
 Link: https://lore.kernel.org/bpf/20191107020855.3834758-4-andriin@fb.com
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/tools/lib/bpf/bpf_prog_linfo.c b/tools/lib/bpf/bpf_prog_linfo.c
 index 6978314ea7f6..0ca04865a339 100644
 --- a/tools/lib/bpf/bpf_prog_linfo.c
 +++ b/tools/lib/bpf/bpf_prog_linfo.c
 @@ -104,6 +104,7 @@ struct bpf_prog_linfo *bpf_prog_linfo__new(const struct bpf_prog_info *info)
  {
  	struct bpf_prog_linfo *prog_linfo;
  	__u32 nr_linfo, nr_jited_func;
 +	__u64 data_sz;

  	nr_linfo = info->nr_line_info;

 @@ -125,11 +126,11 @@ struct bpf_prog_linfo *bpf_prog_linfo__new(const struct bpf_prog_info *info)
  	/* Copy xlated line_info */
  	prog_linfo->nr_linfo = nr_linfo;
  	prog_linfo->rec_size = info->line_info_rec_size;
 -	prog_linfo->raw_linfo = malloc(nr_linfo * prog_linfo->rec_size);
 +	data_sz = (__u64)nr_linfo * prog_linfo->rec_size;
 +	prog_linfo->raw_linfo = malloc(data_sz);
  	if (!prog_linfo->raw_linfo)
  		goto err_free;
 -	memcpy(prog_linfo->raw_linfo, (void *)(long)info->line_info,
 -	       nr_linfo * prog_linfo->rec_size);
 +	memcpy(prog_linfo->raw_linfo, (void *)(long)info->line_info, data_sz);

  	nr_jited_func = info->nr_jited_ksyms;
  	if (!nr_jited_func ||
 @@ -145,13 +146,12 @@ struct bpf_prog_linfo *bpf_prog_linfo__new(const struct bpf_prog_info *info)
  	/* Copy jited_line_info */
  	prog_linfo->nr_jited_func = nr_jited_func;
  	prog_linfo->jited_rec_size = info->jited_line_info_rec_size;
 -	prog_linfo->raw_jited_linfo = malloc(nr_linfo *
 -					     prog_linfo->jited_rec_size);
 +	data_sz = (__u64)nr_linfo * prog_linfo->jited_rec_size;
 +	prog_linfo->raw_jited_linfo = malloc(data_sz);
  	if (!prog_linfo->raw_jited_linfo)
  		goto err_free;
  	memcpy(prog_linfo->raw_jited_linfo,
 -	       (void *)(long)info->jited_line_info,
 -	       nr_linfo * prog_linfo->jited_rec_size);
 +	       (void *)(long)info->jited_line_info, data_sz);

  	/* Number of jited_line_info per jited func */
  	prog_linfo->nr_jited_linfo_per_func = malloc(nr_jited_func *
 --
 2.7.4
	From f31c6ef67f03747aab1a3bce2c31de6136c4a1bc Mon Sep 17 00:00:00 2001
	From: Andrii Nakryiko <andriin@fb.com>
	Date: Wed, 6 Nov 2019 18:08:53 -0800
	Subject: [PATCH] libbpf: Fix another potential overflow issue in
	bpf_prog_linfo

	commit dd3ab126379ec040b3edab8559f9c72de6ef9d29 upstream.

	Fix few issues found by Coverity and LGTM.

	Fixes: b053b439b72a ("bpf: libbpf: bpftool: Print bpf_line_info during prog dump")
	Signed-off-by: Andrii Nakryiko <andriin@fb.com>
	Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
	Link: https://lore.kernel.org/bpf/20191107020855.3834758-4-andriin@fb.com
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/tools/lib/bpf/bpf_prog_linfo.c b/tools/lib/bpf/bpf_prog_linfo.c
	index 6978314ea7f6..0ca04865a339 100644
	--- a/tools/lib/bpf/bpf_prog_linfo.c
	+++ b/tools/lib/bpf/bpf_prog_linfo.c
	@@ -104,6 +104,7 @@ struct bpf_prog_linfo bpf_prog_linfo__new(const struct bpf_prog_info info)
	{
	struct bpf_prog_linfo *prog_linfo;
	__u32 nr_linfo, nr_jited_func;
	+ __u64 data_sz;

	nr_linfo = info->nr_line_info;

	@@ -125,11 +126,11 @@ struct bpf_prog_linfo bpf_prog_linfo__new(const struct bpf_prog_info info)
	/* Copy xlated line_info */
	prog_linfo->nr_linfo = nr_linfo;
	prog_linfo->rec_size = info->line_info_rec_size;
	- prog_linfo->raw_linfo = malloc(nr_linfo * prog_linfo->rec_size);
	+ data_sz = (__u64)nr_linfo * prog_linfo->rec_size;
	+ prog_linfo->raw_linfo = malloc(data_sz);
	if (!prog_linfo->raw_linfo)
	goto err_free;
	- memcpy(prog_linfo->raw_linfo, (void *)(long)info->line_info,
	- nr_linfo * prog_linfo->rec_size);
	+ memcpy(prog_linfo->raw_linfo, (void *)(long)info->line_info, data_sz);

	nr_jited_func = info->nr_jited_ksyms;
	if (!nr_jited_func \|\|
	@@ -145,13 +146,12 @@ struct bpf_prog_linfo bpf_prog_linfo__new(const struct bpf_prog_info info)
	/* Copy jited_line_info */
	prog_linfo->nr_jited_func = nr_jited_func;
	prog_linfo->jited_rec_size = info->jited_line_info_rec_size;
	- prog_linfo->raw_jited_linfo = malloc(nr_linfo *
	- prog_linfo->jited_rec_size);
	+ data_sz = (__u64)nr_linfo * prog_linfo->jited_rec_size;
	+ prog_linfo->raw_jited_linfo = malloc(data_sz);
	if (!prog_linfo->raw_jited_linfo)
	goto err_free;
	memcpy(prog_linfo->raw_jited_linfo,
	- (void *)(long)info->jited_line_info,
	- nr_linfo * prog_linfo->jited_rec_size);
	+ (void *)(long)info->jited_line_info, data_sz);

	/* Number of jited_line_info per jited func */
	prog_linfo->nr_jited_linfo_per_func = malloc(nr_jited_func *
	--
	2.7.4