diff options
Diffstat (limited to 'common/recipes-kernel/linux/linux-yocto-4.9.21/0046-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch')
-rw-r--r-- | common/recipes-kernel/linux/linux-yocto-4.9.21/0046-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch | 83 |
1 files changed, 0 insertions, 83 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0046-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0046-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch deleted file mode 100644 index ef530214..00000000 --- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0046-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 5583fb3990982a52cfdcc0d1bb0cc991bee429b6 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Wed, 10 Jan 2018 23:25:05 +0100 -Subject: [PATCH 046/103] bpf, array: fix overflow in max_entries and undefined - behavior in index_mask - -commit bbeb6e4323dad9b5e0ee9f60c223dd532e2403b1 upstream. - -syzkaller tried to alloc a map with 0xfffffffd entries out of a userns, -and thus unprivileged. With the recently added logic in b2157399cc98 -("bpf: prevent out-of-bounds speculation") we round this up to the next -power of two value for max_entries for unprivileged such that we can -apply proper masking into potentially zeroed out map slots. - -However, this will generate an index_mask of 0xffffffff, and therefore -a + 1 will let this overflow into new max_entries of 0. This will pass -allocation, etc, and later on map access we still enforce on the original -attr->max_entries value which was 0xfffffffd, therefore triggering GPF -all over the place. Thus bail out on overflow in such case. - -Moreover, on 32 bit archs roundup_pow_of_two() can also not be used, -since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit -space is undefined. Therefore, do this by hand in a 64 bit variable. - -This fixes all the issues triggered by syzkaller's reproducers. - -Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation") -Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com -Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com -Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com -Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com -Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - kernel/bpf/arraymap.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c -index eeb7f1b..c6c0b62 100644 ---- a/kernel/bpf/arraymap.c -+++ b/kernel/bpf/arraymap.c -@@ -50,7 +50,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) - u32 elem_size, index_mask, max_entries; - bool unpriv = !capable(CAP_SYS_ADMIN); - struct bpf_array *array; -- u64 array_size; -+ u64 array_size, mask64; - - /* check sanity of attributes */ - if (attr->max_entries == 0 || attr->key_size != 4 || -@@ -66,13 +66,25 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) - elem_size = round_up(attr->value_size, 8); - - max_entries = attr->max_entries; -- index_mask = roundup_pow_of_two(max_entries) - 1; - -- if (unpriv) -+ /* On 32 bit archs roundup_pow_of_two() with max_entries that has -+ * upper most bit set in u32 space is undefined behavior due to -+ * resulting 1U << 32, so do it manually here in u64 space. -+ */ -+ mask64 = fls_long(max_entries - 1); -+ mask64 = 1ULL << mask64; -+ mask64 -= 1; -+ -+ index_mask = mask64; -+ if (unpriv) { - /* round up array size to nearest power of 2, - * since cpu will speculate within index_mask limits - */ - max_entries = index_mask + 1; -+ /* Check for overflows. */ -+ if (max_entries < attr->max_entries) -+ return ERR_PTR(-E2BIG); -+ } - - array_size = sizeof(*array); - if (percpu) --- -2.7.4 - |