diff options
Diffstat (limited to 'common/recipes-kernel/linux/linux-yocto-4.9.21/0045-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch')
-rw-r--r-- | common/recipes-kernel/linux/linux-yocto-4.9.21/0045-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0045-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0045-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch new file mode 100644 index 00000000..def8e08e --- /dev/null +++ b/common/recipes-kernel/linux/linux-yocto-4.9.21/0045-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch @@ -0,0 +1,83 @@ +From ac13c748f64dbc040dc206f6cc3665f6218d3cd4 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann <daniel@iogearbox.net> +Date: Wed, 10 Jan 2018 23:25:05 +0100 +Subject: [PATCH 045/102] bpf, array: fix overflow in max_entries and undefined + behavior in index_mask + +commit bbeb6e4323dad9b5e0ee9f60c223dd532e2403b1 upstream. + +syzkaller tried to alloc a map with 0xfffffffd entries out of a userns, +and thus unprivileged. With the recently added logic in b2157399cc98 +("bpf: prevent out-of-bounds speculation") we round this up to the next +power of two value for max_entries for unprivileged such that we can +apply proper masking into potentially zeroed out map slots. + +However, this will generate an index_mask of 0xffffffff, and therefore +a + 1 will let this overflow into new max_entries of 0. This will pass +allocation, etc, and later on map access we still enforce on the original +attr->max_entries value which was 0xfffffffd, therefore triggering GPF +all over the place. Thus bail out on overflow in such case. + +Moreover, on 32 bit archs roundup_pow_of_two() can also not be used, +since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit +space is undefined. Therefore, do this by hand in a 64 bit variable. + +This fixes all the issues triggered by syzkaller's reproducers. + +Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation") +Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com +Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com +Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com +Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com +Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: Alexei Starovoitov <ast@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + kernel/bpf/arraymap.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index eeb7f1b..c6c0b62 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -50,7 +50,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) + u32 elem_size, index_mask, max_entries; + bool unpriv = !capable(CAP_SYS_ADMIN); + struct bpf_array *array; +- u64 array_size; ++ u64 array_size, mask64; + + /* check sanity of attributes */ + if (attr->max_entries == 0 || attr->key_size != 4 || +@@ -66,13 +66,25 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) + elem_size = round_up(attr->value_size, 8); + + max_entries = attr->max_entries; +- index_mask = roundup_pow_of_two(max_entries) - 1; + +- if (unpriv) ++ /* On 32 bit archs roundup_pow_of_two() with max_entries that has ++ * upper most bit set in u32 space is undefined behavior due to ++ * resulting 1U << 32, so do it manually here in u64 space. ++ */ ++ mask64 = fls_long(max_entries - 1); ++ mask64 = 1ULL << mask64; ++ mask64 -= 1; ++ ++ index_mask = mask64; ++ if (unpriv) { + /* round up array size to nearest power of 2, + * since cpu will speculate within index_mask limits + */ + max_entries = index_mask + 1; ++ /* Check for overflows. */ ++ if (max_entries < attr->max_entries) ++ return ERR_PTR(-E2BIG); ++ } + + array_size = sizeof(*array); + if (percpu) +-- +2.7.4 + |