diff mbox

[-next] bpf: null dereference allocating large arrays

Message ID 20141122183059.GC6994@mwanda
State Not Applicable, archived
Delegated to: David Miller
Headers show

Commit Message

Dan Carpenter Nov. 22, 2014, 6:30 p.m. UTC 
There is a typo here, "array" is null so we can't dereference it and
also the size calculation should match the kzalloc() on the lines
before.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Alexei Starovoitov Nov. 22, 2014, 6:45 p.m. UTC | #1 
On Sat, Nov 22, 2014 at 10:30 AM, Dan Carpenter
<dan.carpenter@oracle.com> wrote:
> There is a typo here, "array" is null so we can't dereference it and
> also the size calculation should match the kzalloc() on the lines
> before.

Not sure what tree you're looking at...
it was more than typo, but it was fixed 4 days ago.
See commit daaf427c6ab39 ("bpf: fix arraymap NULL deref and missing
overflow and zero size checks")
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 58b80c1..662a412 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -38,7 +38,7 @@  static struct bpf_map *array_map_alloc(union bpf_attr *attr)
 	array = kzalloc(sizeof(*array) + attr->max_entries * elem_size,
 			GFP_USER | __GFP_NOWARN);
 	if (!array) {
-		array = vzalloc(array->map.max_entries * array->elem_size);
+		array = vzalloc(sizeof(*array) + attr->max_entries * elem_size);
 		if (!array)
 			return ERR_PTR(-ENOMEM);
 	}