| From 7dd5d437c258bbf4cc15b35229e5208b87b8b4e0 Mon Sep 17 00:00:00 2001 |
| From: Bui Quang Minh <minhquangbui99@gmail.com> |
| Date: Sun, 13 Jun 2021 21:34:39 +0700 |
| Subject: bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc |
| |
| From: Bui Quang Minh <minhquangbui99@gmail.com> |
| |
| commit 7dd5d437c258bbf4cc15b35229e5208b87b8b4e0 upstream. |
| |
| In 32-bit architecture, the result of sizeof() is a 32-bit integer so |
| the expression becomes the multiplication between 2 32-bit integer which |
| can potentially leads to integer overflow. As a result, |
| bpf_map_area_alloc() allocates less memory than needed. |
| |
| Fix this by casting 1 operand to u64. |
| |
| Fixes: 0d2c4f964050 ("bpf: Eliminate rlimit-based memory accounting for sockmap and sockhash maps") |
| Fixes: 99c51064fb06 ("devmap: Use bpf_map_area_alloc() for allocating hash buckets") |
| Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references") |
| Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> |
| Signed-off-by: Alexei Starovoitov <ast@kernel.org> |
| Link: https://lore.kernel.org/bpf/20210613143440.71975-1-minhquangbui99@gmail.com |
| Signed-off-by: Connor O'Brien <connoro@google.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| kernel/bpf/devmap.c | 4 ++-- |
| net/core/sock_map.c | 2 +- |
| 2 files changed, 3 insertions(+), 3 deletions(-) |
| |
| --- a/kernel/bpf/devmap.c |
| +++ b/kernel/bpf/devmap.c |
| @@ -94,7 +94,7 @@ static struct hlist_head *dev_map_create |
| int i; |
| struct hlist_head *hash; |
| |
| - hash = bpf_map_area_alloc(entries * sizeof(*hash), numa_node); |
| + hash = bpf_map_area_alloc((u64) entries * sizeof(*hash), numa_node); |
| if (hash != NULL) |
| for (i = 0; i < entries; i++) |
| INIT_HLIST_HEAD(&hash[i]); |
| @@ -159,7 +159,7 @@ static int dev_map_init_map(struct bpf_d |
| |
| spin_lock_init(&dtab->index_lock); |
| } else { |
| - dtab->netdev_map = bpf_map_area_alloc(dtab->map.max_entries * |
| + dtab->netdev_map = bpf_map_area_alloc((u64) dtab->map.max_entries * |
| sizeof(struct bpf_dtab_netdev *), |
| dtab->map.numa_node); |
| if (!dtab->netdev_map) |
| --- a/net/core/sock_map.c |
| +++ b/net/core/sock_map.c |
| @@ -48,7 +48,7 @@ static struct bpf_map *sock_map_alloc(un |
| if (err) |
| goto free_stab; |
| |
| - stab->sks = bpf_map_area_alloc(stab->map.max_entries * |
| + stab->sks = bpf_map_area_alloc((u64) stab->map.max_entries * |
| sizeof(struct sock *), |
| stab->map.numa_node); |
| if (stab->sks) |