From patchwork Thu Oct 19 16:03:52 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Fastabend <john.r.fastabend@gmail.com>
X-Patchwork-Id: 828187
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="Bex9fwMM"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3yHtz74PT5z9t3f
	for <patchwork-incoming@ozlabs.org>;
	Fri, 20 Oct 2017 03:04:19 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754698AbdJSQER (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 19 Oct 2017 12:04:17 -0400
Received: from mail-pf0-f193.google.com ([209.85.192.193]:54743 "EHLO
	mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752579AbdJSQEQ (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 19 Oct 2017 12:04:16 -0400
Received: by mail-pf0-f193.google.com with SMTP id n89so6878140pfk.11
	for <netdev@vger.kernel.org>; Thu, 19 Oct 2017 09:04:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:subject:to:cc:date:message-id:user-agent:mime-version
	:content-transfer-encoding;
	bh=UleJmwtWX/F6RdxUw/z7GJIgtUNombeZbu7aIfdr8HM=;
	b=Bex9fwMMbyneRIcmrlXGqlOfdCxAoFSKfwZFuBwdB8InAf4f/G320Izdubleyxa8WU
	7sma5XY+u299aw0ajoISh3kqumtzhL03tS3LqVClVustQTuV7K63CYeRv5E+wB0ZslMA
	Lk6N+GauyjAXeFHBhAD0TwvBcQKq8H8zXn8mWv2LBY8W1WBcU0cYxUW/eaMn41wNGQsB
	9mQ1abMtGvrMbwEz27oftAavmE5dl2gCzUQKOuFsN8qLMWx4mY8WC0FrsnSJ2I9E1OzX
	FLL8T/EgK02uHG4uLvFg3UVy3dknln+LWk4LqyjAUrrlWLZC5HO98B38EJzKSbLDQPJq
	4WIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:subject:to:cc:date:message-id:user-agent
	:mime-version:content-transfer-encoding;
	bh=UleJmwtWX/F6RdxUw/z7GJIgtUNombeZbu7aIfdr8HM=;
	b=B7c7gjKohSdE+gwW5RkVwf8DD8n2sOJwBbR9yinR642dg3Tap20KENp938R+/+W9aB
	/o1r4XxfrRog1J/eOw5UuQbfL0VbWA+Y0A63/w8lPbE+JqBEa3BY7H5dw23dr/lloThQ
	YKdMMMIGY4R/eCVL0kTxyVP//g6BJQ2S6U3ywvG0QrSfXjppdtUpGOM23tQsulSwPvV4
	WL5H2JA/ta+7O+mYiQpC4X4YvE3+kUKb8OQtwtRwN3GGXHHYpE+y6Ri5tUI53Hx5SvIo
	8HVbeGgfkKDqGkjJK8qN7aku7M4SRL6lsevZ6CAPg4oJNFlaFiGVQOl4s1xDSmVQG2G8
	4Amg==
X-Gm-Message-State: AMCzsaXDT0gW/4QV46nu43jKPVgKqv6hk7A4hK5+Q5OyLbzjTRpFbmTS
	LKboxA7us52S7RZfLT+RwEc=
X-Google-Smtp-Source: 
 ABhQp+T/IyfGCtBRHTuc65dSH1Tclm9ZzcFkECtyFd42ifjLzgKG+A/l76i+wTBT0b5TnzRdvdJr5g==
X-Received: by 10.84.233.10 with SMTP id j10mr1926852plk.14.1508429055775;
	Thu, 19 Oct 2017 09:04:15 -0700 (PDT)
Received: from [127.0.1.1] ([72.168.146.16])
	by smtp.gmail.com with ESMTPSA id
	u9sm26157736pfa.40.2017.10.19.09.04.01
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 19 Oct 2017 09:04:14 -0700 (PDT)
From: John Fastabend <john.r.fastabend@gmail.com>
X-Google-Original-From: John Fastabend <john.fastabend@gmail.com>
Subject: [net PATCH] bpf: devmap fix arithmetic overflow in bitmap_size
	calculation
To: richard@nod.at, alexei.starovoitov@gmail.com, davem@davemloft.net
Cc: netdev@vger.kernel.org, borkmann@iogearbox.net
Date: Thu, 19 Oct 2017 09:03:52 -0700
Message-ID: <150842903200.12537.10765604428561566031.stgit@john-XPS-13-9360>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

An integer overflow is possible in dev_map_bitmap_size() when
calculating the BITS_TO_LONG logic which becomes, after macro
replacement,

	(((n) + (d) - 1)/ (d))

where 'n' is a __u32 and 'd' is (8 * sizeof(long)). To avoid
overflow cast to u64 before arithmetic.

Reported-by: Richard Weinberger <richard@nod.at>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
---
 kernel/bpf/devmap.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 7d9f32f..6d3ec97 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -69,7 +69,7 @@ static LIST_HEAD(dev_map_list);
 
 static u64 dev_map_bitmap_size(const union bpf_attr *attr)
 {
-	return BITS_TO_LONGS(attr->max_entries) * sizeof(unsigned long);
+	return BITS_TO_LONGS((u64) attr->max_entries) * sizeof(unsigned long);
 }
 
 static struct bpf_map *dev_map_alloc(union bpf_attr *attr)