releases/5.4.167/bpf-fix-integer-overflow-in-argument-calculation-for-bpf_map_area_alloc.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 7dd5d437c258bbf4cc15b35229e5208b87b8b4e0 Mon Sep 17 00:00:00 2001
 From: Bui Quang Minh <minhquangbui99@gmail.com>
 Date: Sun, 13 Jun 2021 21:34:39 +0700
 Subject: bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc

 From: Bui Quang Minh <minhquangbui99@gmail.com>

 commit 7dd5d437c258bbf4cc15b35229e5208b87b8b4e0 upstream.

 In 32-bit architecture, the result of sizeof() is a 32-bit integer so
 the expression becomes the multiplication between 2 32-bit integer which
 can potentially leads to integer overflow. As a result,
 bpf_map_area_alloc() allocates less memory than needed.

 Fix this by casting 1 operand to u64.

 Fixes: 0d2c4f964050 ("bpf: Eliminate rlimit-based memory accounting for sockmap and sockhash maps")
 Fixes: 99c51064fb06 ("devmap: Use bpf_map_area_alloc() for allocating hash buckets")
 Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references")
 Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
 Signed-off-by: Alexei Starovoitov <ast@kernel.org>
 Link: https://lore.kernel.org/bpf/20210613143440.71975-1-minhquangbui99@gmail.com
 Signed-off-by: Connor O'Brien <connoro@google.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  kernel/bpf/devmap.c |    4 ++--
  net/core/sock_map.c |    2 +-
  2 files changed, 3 insertions(+), 3 deletions(-)

 --- a/kernel/bpf/devmap.c
 +++ b/kernel/bpf/devmap.c
 @@ -94,7 +94,7 @@ static struct hlist_head *dev_map_create
  	int i;
  	struct hlist_head *hash;

 -	hash = bpf_map_area_alloc(entries * sizeof(*hash), numa_node);
 +	hash = bpf_map_area_alloc((u64) entries * sizeof(*hash), numa_node);
  	if (hash != NULL)
  		for (i = 0; i < entries; i++)
  			INIT_HLIST_HEAD(&hash[i]);
 @@ -159,7 +159,7 @@ static int dev_map_init_map(struct bpf_d

  		spin_lock_init(&dtab->index_lock);
  	} else {
 -		dtab->netdev_map = bpf_map_area_alloc(dtab->map.max_entries *
 +		dtab->netdev_map = bpf_map_area_alloc((u64) dtab->map.max_entries *
  						      sizeof(struct bpf_dtab_netdev *),
  						      dtab->map.numa_node);
  		if (!dtab->netdev_map)
 --- a/net/core/sock_map.c
 +++ b/net/core/sock_map.c
 @@ -48,7 +48,7 @@ static struct bpf_map *sock_map_alloc(un
  	if (err)
  		goto free_stab;

 -	stab->sks = bpf_map_area_alloc(stab->map.max_entries *
 +	stab->sks = bpf_map_area_alloc((u64) stab->map.max_entries *
  				       sizeof(struct sock *),
  				       stab->map.numa_node);
  	if (stab->sks)
	From 7dd5d437c258bbf4cc15b35229e5208b87b8b4e0 Mon Sep 17 00:00:00 2001
	From: Bui Quang Minh <minhquangbui99@gmail.com>
	Date: Sun, 13 Jun 2021 21:34:39 +0700
	Subject: bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc

	From: Bui Quang Minh <minhquangbui99@gmail.com>

	commit 7dd5d437c258bbf4cc15b35229e5208b87b8b4e0 upstream.

	In 32-bit architecture, the result of sizeof() is a 32-bit integer so
	the expression becomes the multiplication between 2 32-bit integer which
	can potentially leads to integer overflow. As a result,
	bpf_map_area_alloc() allocates less memory than needed.

	Fix this by casting 1 operand to u64.

	Fixes: 0d2c4f964050 ("bpf: Eliminate rlimit-based memory accounting for sockmap and sockhash maps")
	Fixes: 99c51064fb06 ("devmap: Use bpf_map_area_alloc() for allocating hash buckets")
	Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references")
	Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
	Signed-off-by: Alexei Starovoitov <ast@kernel.org>
	Link: https://lore.kernel.org/bpf/20210613143440.71975-1-minhquangbui99@gmail.com
	Signed-off-by: Connor O'Brien <connoro@google.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	kernel/bpf/devmap.c \| 4 ++--
	net/core/sock_map.c \| 2 +-
	2 files changed, 3 insertions(+), 3 deletions(-)

	--- a/kernel/bpf/devmap.c
	+++ b/kernel/bpf/devmap.c
	@@ -94,7 +94,7 @@ static struct hlist_head *dev_map_create
	int i;
	struct hlist_head *hash;

	- hash = bpf_map_area_alloc(entries * sizeof(*hash), numa_node);
	+ hash = bpf_map_area_alloc((u64) entries * sizeof(*hash), numa_node);
	if (hash != NULL)
	for (i = 0; i < entries; i++)
	INIT_HLIST_HEAD(&hash[i]);
	@@ -159,7 +159,7 @@ static int dev_map_init_map(struct bpf_d

	spin_lock_init(&dtab->index_lock);
	} else {
	- dtab->netdev_map = bpf_map_area_alloc(dtab->map.max_entries *
	+ dtab->netdev_map = bpf_map_area_alloc((u64) dtab->map.max_entries *
	sizeof(struct bpf_dtab_netdev *),
	dtab->map.numa_node);
	if (!dtab->netdev_map)
	--- a/net/core/sock_map.c
	+++ b/net/core/sock_map.c
	@@ -48,7 +48,7 @@ static struct bpf_map *sock_map_alloc(un
	if (err)
	goto free_stab;

	- stab->sks = bpf_map_area_alloc(stab->map.max_entries *
	+ stab->sks = bpf_map_area_alloc((u64) stab->map.max_entries *
	sizeof(struct sock *),
	stab->map.numa_node);
	if (stab->sks)