diff mbox series

[bpf] bpf: Fix integer overflow in queue_stack_map_alloc.

Message ID 20181122163519.7299-1-ww9210@gmail.com
State Changes Requested, archived
Delegated to: BPF Maintainers
Headers show
Series [bpf] bpf: Fix integer overflow in queue_stack_map_alloc. | expand

Commit Message

ww9210 Nov. 22, 2018, 4:35 p.m. UTC 
Integer overflow in queue_stack_map_alloc when calculating size may lead to heap overflow of arbitrary length.
The patch fix it by checking whether attr->max_entries+1 < attr->max_entries and bailing out if it is the case.
The vulnerability is discovered with the assistance of syzkaller.

Reported-by: Wei Wu <ww9210@gmail.com>
To: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: netdev <netdev@vger.kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Wei Wu <ww9210@gmail.com>
---
 kernel/bpf/queue_stack_maps.c | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
index 8bbd72d3a121..c35a8a4721c8 100644
--- a/kernel/bpf/queue_stack_maps.c
+++ b/kernel/bpf/queue_stack_maps.c
@@ -67,6 +67,8 @@  static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr)
 	u64 queue_size, cost;
 
 	size = attr->max_entries + 1;
+	if (size < attr->max_entries)
+		return ERR_PTR(-EINVAL);
 	value_size = attr->value_size;
 
 	queue_size = sizeof(*qs) + (u64) value_size * size;