Message ID | 150842903200.12537.10765604428561566031.stgit@john-XPS-13-9360 |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
Series | [net] bpf: devmap fix arithmetic overflow in bitmap_size calculation | expand |
On Thu, Oct 19, 2017 at 09:03:52AM -0700, John Fastabend wrote: > An integer overflow is possible in dev_map_bitmap_size() when > calculating the BITS_TO_LONG logic which becomes, after macro > replacement, > > (((n) + (d) - 1)/ (d)) > > where 'n' is a __u32 and 'd' is (8 * sizeof(long)). To avoid > overflow cast to u64 before arithmetic. > > Reported-by: Richard Weinberger <richard@nod.at> > Acked-by: Daniel Borkmann <daniel@iogearbox.net> > Signed-off-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org>
From: John Fastabend <john.r.fastabend@gmail.com> Date: Thu, 19 Oct 2017 09:03:52 -0700 > An integer overflow is possible in dev_map_bitmap_size() when > calculating the BITS_TO_LONG logic which becomes, after macro > replacement, > > (((n) + (d) - 1)/ (d)) > > where 'n' is a __u32 and 'd' is (8 * sizeof(long)). To avoid > overflow cast to u64 before arithmetic. > > Reported-by: Richard Weinberger <richard@nod.at> > Acked-by: Daniel Borkmann <daniel@iogearbox.net> > Signed-off-by: John Fastabend <john.fastabend@gmail.com> Applied.
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 7d9f32f..6d3ec97 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -69,7 +69,7 @@ static LIST_HEAD(dev_map_list); static u64 dev_map_bitmap_size(const union bpf_attr *attr) { - return BITS_TO_LONGS(attr->max_entries) * sizeof(unsigned long); + return BITS_TO_LONGS((u64) attr->max_entries) * sizeof(unsigned long); } static struct bpf_map *dev_map_alloc(union bpf_attr *attr)