[-next] bpf: off by one in check_map_func_compatibility()

Message ID	20150813202747.GA6478@mwanda
State	Not Applicable, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> Date: Thu, 13 Aug 2015 23:27:47 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Alexei Starovoitov <ast@kernel.org>, Kaixu Xia <xiakaixu@huawei.com> Cc: netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch -next] bpf: off by one in check_map_func_compatibility() Message-ID: <20150813202747.GA6478@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

20150813202747.GA6478@mwanda

State

Not Applicable, archived

Delegated to:

David Miller

Headers

Date: Thu, 13 Aug 2015 23:27:47 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Alexei Starovoitov <ast@kernel.org>,
	Kaixu Xia <xiakaixu@huawei.com>
Cc: netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch -next] bpf: off by one in check_map_func_compatibility()
Message-ID: <20150813202747.GA6478@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Dan Carpenter Aug. 13, 2015, 8:27 p.m. UTC

The loop iterates one space too far, so we might read beyond the end of
the func_limit[] array.

Fixes: 35578d798400 ('bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Daniel Borkmann Aug. 13, 2015, 8:31 p.m. UTC | #1

On 08/13/2015 10:27 PM, Dan Carpenter wrote:
> The loop iterates one space too far, so we might read beyond the end of
> the func_limit[] array.
>
> Fixes: 35578d798400 ('bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Thanks for the fix, Dan!

There's however already one queued up here:

https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=140d8b335a9beb234fd0ed9a15aa6a47f47fd771

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 48e1c71..ed12e38 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -853,7 +853,7 @@ static int check_map_func_compatibility(struct bpf_map *map, int func_id)
>   	if (!map)
>   		return 0;
>
> -	for (i = 0; i <= ARRAY_SIZE(func_limit); i++) {
> +	for (i = 0; i < ARRAY_SIZE(func_limit); i++) {
>   		bool_map = (map->map_type == func_limit[i].map_type);
>   		bool_func = (func_id == func_limit[i].func_id);
>   		/* only when map & func pair match it can continue.
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 48e1c71..ed12e38 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -853,7 +853,7 @@  static int check_map_func_compatibility(struct bpf_map *map, int func_id)
 	if (!map)
 		return 0;
 
-	for (i = 0; i <= ARRAY_SIZE(func_limit); i++) {
+	for (i = 0; i < ARRAY_SIZE(func_limit); i++) {
 		bool_map = (map->map_type == func_limit[i].map_type);
 		bool_func = (func_id == func_limit[i].func_id);
 		/* only when map & func pair match it can continue.

[-next] bpf: off by one in check_map_func_compatibility()

Commit Message

Comments

Patch