bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc

stable inclusion from stable-v5.10.87 commit 613725436e69fc3ccdf39f827bb274f999288dba bugzilla: 186049 https://gitee.com/openeuler/kernel/issues/I4QVYL Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=613725436e69fc3ccdf39f827bb274f999288dba -------------------------------- commit 7dd5d437 upstream. In 32-bit architecture, the result of sizeof() is a 32-bit integer so the expression becomes the multiplication between 2 32-bit integer which can potentially leads to integer overflow. As a result, bpf_map_area_alloc() allocates less memory than needed. Fix this by casting 1 operand to u64. Fixes: 0d2c4f96 ("bpf: Eliminate rlimit-based memory accounting for sockmap and sockhash maps") Fixes: 99c51064 ("devmap: Use bpf_map_area_alloc() for allocating hash buckets") Fixes: 546ac1ff ("bpf: add devmap, a map for storing net device references") Signed-off-by: N Bui Quang Minh <minhquangbui99@gmail.com> Signed-off-by: N Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20210613143440.71975-1-minhquangbui99@gmail.comSigned-off-by: N Connor O'Brien <connoro@google.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc
stable inclusion from stable-v5.10.87 commit 613725436e69fc3ccdf39f827bb274f999288dba bugzilla: 186049 https://gitee.com/openeuler/kernel/issues/I4QVYL Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=613725436e69fc3ccdf39f827bb274f999288dba -------------------------------- commit 7dd5d437 upstream. In 32-bit architecture, the result of sizeof() is a 32-bit integer so the expression becomes the multiplication between 2 32-bit integer which can potentially leads to integer overflow. As a result, bpf_map_area_alloc() allocates less memory than needed. Fix this by casting 1 operand to u64. Fixes: 0d2c4f96 ("bpf: Eliminate rlimit-based memory accounting for sockmap and sockhash maps") Fixes: 99c51064 ("devmap: Use bpf_map_area_alloc() for allocating hash buckets") Fixes: 546ac1ff ("bpf: add devmap, a map for storing net device references") Signed-off-by: N Bui Quang Minh <minhquangbui99@gmail.com> Signed-off-by: N Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20210613143440.71975-1-minhquangbui99@gmail.comSigned-off-by: N Connor O'Brien <connoro@google.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
d4ddcc27 · Bui Quang Minh · Zheng Zengkai · 7f92408c · d4ddcc27 · d4ddcc27
隐藏空白更改
内联并排

Showing with 3 addition and 3 deletion

kernel/bpf/devmap.c kernel/bpf/devmap.c +2 -2

net/core/sock_map.c net/core/sock_map.c +1 -1

未找到文件。
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -92,7 +92,7 @@ static struct hlist_head *dev_map_create_hash(unsigned int entries,
 	int i;
 	struct hlist_head *hash;

-	hash = bpf_map_area_alloc(entries * sizeof(*hash), numa_node);
+	hash = bpf_map_area_alloc((u64) entries * sizeof(*hash), numa_node);
 	if (hash != NULL)
 		for (i = 0; i < entries; i++)
 			INIT_HLIST_HEAD(&hash[i]);
@@ -153,7 +153,7 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr)

 		spin_lock_init(&dtab->index_lock);
 	} else {
-		dtab->netdev_map = bpf_map_area_alloc(dtab->map.max_entries *
+		dtab->netdev_map = bpf_map_area_alloc((u64) dtab->map.max_entries *
 						      sizeof(struct bpf_dtab_netdev *),
 						      dtab->map.numa_node);
 		if (!dtab->netdev_map)

--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -52,7 +52,7 @@ static struct bpf_map *sock_map_alloc(union bpf_attr *attr)
 	if (err)
 		goto free_stab;

-	stab->sks = bpf_map_area_alloc(stab->map.max_entries *
+	stab->sks = bpf_map_area_alloc((u64) stab->map.max_entries *
 				       sizeof(struct sock *),
 				       stab->map.numa_node);
 	if (stab->sks)