| Message ID | 20230929204121.20305-1-daniel@iogearbox.net (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | f9b0e1088bbf35933e25c839b75094039059b3be |
| Delegated to: | BPF |
| Headers | show |
| Series | [bpf,1/2] bpf, mprog: Fix maximum program check on mprog attachment | expand |
Hello: This series was applied to bpf/bpf.git (master) by Andrii Nakryiko <andrii@kernel.org>: On Fri, 29 Sep 2023 22:41:20 +0200 you wrote: > After Paul's recent improvement to syzkaller to improve coverage for > bpf_mprog and tcx, it hit a splat that the program limit was surpassed. > What happened is that the maximum number of progs got added, followed > by another prog add request which adds with BPF_F_BEFORE flag relative > to the last program in the array. The idx >= bpf_mprog_max() check in > bpf_mprog_attach() still passes because the index is below the maximum > but the maximum will be surpassed. We need to add a check upfront for > insertions to catch this situation. > > [...] Here is the summary with links: - [bpf,1/2] bpf, mprog: Fix maximum program check on mprog attachment https://git.kernel.org/bpf/bpf/c/f9b0e1088bbf - [bpf,2/2] selftest/bpf: Add various selftests for program limits https://git.kernel.org/bpf/bpf/c/4cb893e89221 You are awesome, thank you!
diff --git a/kernel/bpf/mprog.c b/kernel/bpf/mprog.c index 32d2c4829eb8..007d98c799e2 100644 --- a/kernel/bpf/mprog.c +++ b/kernel/bpf/mprog.c @@ -253,6 +253,9 @@ int bpf_mprog_attach(struct bpf_mprog_entry *entry, goto out; } idx = tidx; + } else if (bpf_mprog_total(entry) == bpf_mprog_max()) { + ret = -ERANGE; + goto out; } if (flags & BPF_F_BEFORE) { tidx = bpf_mprog_pos_before(entry, &rtuple);
After Paul's recent improvement to syzkaller to improve coverage for bpf_mprog and tcx, it hit a splat that the program limit was surpassed. What happened is that the maximum number of progs got added, followed by another prog add request which adds with BPF_F_BEFORE flag relative to the last program in the array. The idx >= bpf_mprog_max() check in bpf_mprog_attach() still passes because the index is below the maximum but the maximum will be surpassed. We need to add a check upfront for insertions to catch this situation. Fixes: 053c8e1f235d ("bpf: Add generic attach/detach/query API for multi-progs") Reported-by: syzbot+baa44e3dbbe48e05c1ad@syzkaller.appspotmail.com Reported-by: syzbot+b97d20ed568ce0951a06@syzkaller.appspotmail.com Reported-by: syzbot+2558ca3567a77b7af4e3@syzkaller.appspotmail.com Co-developed-by: Nikolay Aleksandrov <razor@blackwall.org> Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: syzbot+baa44e3dbbe48e05c1ad@syzkaller.appspotmail.com Tested-by: syzbot+b97d20ed568ce0951a06@syzkaller.appspotmail.com Link: https://github.com/google/syzkaller/pull/4207 --- kernel/bpf/mprog.c | 3 +++ 1 file changed, 3 insertions(+)