From patchwork Thu Mar 7 12:03:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= X-Patchwork-Id: 13585496 X-Patchwork-Delegate: bpf@iogearbox.net Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F270F82D9C for ; Thu, 7 Mar 2024 12:03:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709813027; cv=none; b=BLIDzcUSVzWoxbz0xpg7q/JdTpw6tKiUgF+TevBRshWpU5owWOQnQ9pA7513PQlGcBhG3HvApMyrrbOmZYLBNSnHxdbgjJ1tF8d6b54G9tqNGELvndb0+pg5T8RZdkgj83MLN9rAIAN1qB8lNiKmhnL8EU3RPtv47eSSEGec9rw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709813027; c=relaxed/simple; bh=VabsikQF0k0IQ9y/QlLTfmY6orqjAdYHABK5Gdt7a3s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=FG3Tay/bRMvUJfakelLD30/Bmun07VO4F61IpZS0HCDCoQe3qj2G7LbO6i5SbBsDgC++Q9yy6FIXigX8oaadxu8rY7AjVgA8Ek7+Ht5AuHQGq0t/A1WZQc24Q7nO/eqo/tckXQbrexfvUIqjmSKzQ8rI02YHT845GtdQxb7B1b8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=FJpqp8Tt; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="FJpqp8Tt" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1709813024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oDEgj1V2cjc85YaJq6bxK4Rqtu+HuPgKUTy4qIFCidM=; b=FJpqp8TtTJ4W9Jgi+B0XgVqrWorr3EHCtzNyhUP27eIaChCaYdNfXZFvfQtprETz78Z2PP SNy1jVYMX/Bce/upY3rMKH6gEPdSlgO2OlhTM79B01Zn1Dkn3xDP7Jjv4SBXlmPnkXXxyH LfodCzTOdcM/ataSE5PDbaXMHH6Pv7A= Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-635-Pqtfj-0-PCqksjg8Z1Lv-g-1; Thu, 07 Mar 2024 07:03:43 -0500 X-MC-Unique: Pqtfj-0-PCqksjg8Z1Lv-g-1 Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-a26f2da3c7bso64278866b.0 for ; Thu, 07 Mar 2024 04:03:43 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709813022; x=1710417822; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oDEgj1V2cjc85YaJq6bxK4Rqtu+HuPgKUTy4qIFCidM=; b=UMhe2evX+lRWUF+Ntc/I/Co9TbAx6X/gz7syk5AHbwrpBLJko3cNBKG2+ahlJdnZfj i5+XMNr6W2PrkA/OM9nlBaE3CgPODJ1WB+tdsLBcLAX4QZdp7sTk82GuhyuTh15azYnC O7InvzyVaVcNMlzRuNNWJdPk1ae2RYfWZPkYQA5OwZZg4zMu2bruO14cXqDkkZkzjSHC Xq7Hzg8jjtRApWM2E1lD1PohHjDfPWICnJs3JZDR4Zh9MYDT3bUo/AP1me5sR6y5gMs7 kEhAs+fidIV2iPrVYob2OdGTCLimflAbQkUKS2GdarN3VFN9wPkBjLqHItAlAh+/B23Y u7Qw== X-Forwarded-Encrypted: i=1; AJvYcCXM40kYuYU5PCl4ydgC8iHBkaZ0/Fj/CDXK1AuOryu1LgMuDwqAXVDYE3IDjurfHJ20VmAZMIZFPwx50hKslWOovTUi X-Gm-Message-State: AOJu0YxV+GEvQoLwcbDXvcWL5HpmfmbxtWUHN23H9v5Cb/zF2R9CvloY FeAsLaHif0D56UkJBypqkF3C3ZcKkph6jZeA981EdInDoLphrXwJ+nVcugJHYGZwsvf8/xaEs+0 3Ju/2Nn4xSkOsJUQefInFF52bYksq2maikwFj/sZgkS5V5NONjQ== X-Received: by 2002:a17:906:248b:b0:a45:ad00:eade with SMTP id e11-20020a170906248b00b00a45ad00eademr5150168ejb.57.1709813022436; Thu, 07 Mar 2024 04:03:42 -0800 (PST) X-Google-Smtp-Source: AGHT+IE5RvWzENV6+01U16kQloAf54kfAnKlJDOtXE0Bxsl6gER15VHdJFNSFH56K9QJGhc38Na2Og== X-Received: by 2002:a17:906:248b:b0:a45:ad00:eade with SMTP id e11-20020a170906248b00b00a45ad00eademr5150146ejb.57.1709813022167; Thu, 07 Mar 2024 04:03:42 -0800 (PST) Received: from alrua-x1.borgediget.toke.dk ([45.145.92.2]) by smtp.gmail.com with ESMTPSA id bx16-20020a170906a1d000b00a4588098c5esm3486946ejb.132.2024.03.07.04.03.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Mar 2024 04:03:41 -0800 (PST) Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id 780B4112F378; Thu, 7 Mar 2024 13:03:41 +0100 (CET) From: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Alexei Starovoitov , Daniel Borkmann , "David S. Miller" , Jakub Kicinski , Jesper Dangaard Brouer , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , =?utf-8?q?Toke_H?= =?utf-8?q?=C3=B8iland-J=C3=B8rgensen?= Cc: syzbot+8cd36f6b65f3cafd400a@syzkaller.appspotmail.com, netdev@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH bpf v3 1/3] bpf: Fix DEVMAP_HASH overflow check on 32-bit arches Date: Thu, 7 Mar 2024 13:03:35 +0100 Message-ID: <20240307120340.99577-2-toke@redhat.com> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240307120340.99577-1-toke@redhat.com> References: <20240307120340.99577-1-toke@redhat.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation. Fixes: 6f9d451ab1a3 ("xdp: Add devmap_hash map type for looking up devices by hashed index") Link: https://lore.kernel.org/r/000000000000ed666a0611af6818@google.com Reported-and-tested-by: syzbot+8cd36f6b65f3cafd400a@syzkaller.appspotmail.com Signed-off-by: Toke Høiland-Jørgensen --- kernel/bpf/devmap.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index a936c704d4e7..4e2cdbb5629f 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -130,13 +130,14 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) bpf_map_init_from_attr(&dtab->map, attr); if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { - dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); - - if (!dtab->n_buckets) /* Overflow check */ + /* hash table size must be power of 2; roundup_pow_of_two() can + * overflow into UB on 32-bit arches, so check that first + */ + if (dtab->map.max_entries > 1UL << 31) return -EINVAL; - } - if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { + dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); + dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets, dtab->map.numa_node); if (!dtab->dev_index_head) From patchwork Thu Mar 7 12:03:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= X-Patchwork-Id: 13585498 X-Patchwork-Delegate: bpf@iogearbox.net Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 61E3D1292F3 for ; Thu, 7 Mar 2024 12:03:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709813027; cv=none; b=nW+ajKhKB7jnKdCLWH7kN/cEATAaEDO6QJMAGbWWk5A0AKZyRyx6f4bjQv9QBxbTVr8r+PJzjqCDr/IZ408U4qssjIuMRqe/G84OKhv4VTd6T07To2o/R0NoQdWaeI3DiYDvoe2oeH5HQe4lR4ox56uP/bwMooISEmhJnJf6y5k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709813027; c=relaxed/simple; bh=FL+4o6Mqp2qY6AlA9uci3R2x9eyxBO+s9okMxNBiuwo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=GQpU+Js+sE5LxQ7O3xFdCLa2DLrAbk/lm7IbiUDtXXOpMbZgXkgvHB/bhMKtLd2A06KHpNv0KsqmYg0ebKHTWzXBvaGp/35skHgCemAeRXZwRVsHAL6h0fIlM09Qq35kdnLdlyiO+dTPL0Qfa5tNHWEXWAOt2Y19+wAe8fTzDs4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=NP8qK/xV; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="NP8qK/xV" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1709813025; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n3+jl+6QmBqCt5DlftyUQTEGEi2pwkpy4lDaj29hm/Y=; b=NP8qK/xVVqXT8mxFHxPMn4IlGLhS4ylck6qI569Y4Sc+Wa5qSpX9oCv3m0Ng5j4bEE6MHk A2SKFrILAXV8lvTaAeIhxJOaBlaz8wd7ujBwePuE+sXAc6S8hn+b39H/QW4Gv4EhToI6wn R5+jCHTFPJTey6yyuHzl1u/DEXQjplE= Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com [209.85.218.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-13-NVSrBOd5OXeExk6CZR8B_A-1; Thu, 07 Mar 2024 07:03:44 -0500 X-MC-Unique: NVSrBOd5OXeExk6CZR8B_A-1 Received: by mail-ej1-f70.google.com with SMTP id a640c23a62f3a-a450c660cdeso51827266b.3 for ; Thu, 07 Mar 2024 04:03:43 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709813023; x=1710417823; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=n3+jl+6QmBqCt5DlftyUQTEGEi2pwkpy4lDaj29hm/Y=; b=faXRJFYuDeN3uI92y0FEUX5mr9H4NMFMLmTFMUqrBpc3aonddMDyAhJsqRCrvurWbx zsX+ZCxPRCJeC+j6tBwPZlW8/KxWin6VnNe+TLkEmLMEVZ3hHpl5IUFAE16aa9Nk+aWJ i+KYMjBLXozFRHHh80Hf5B2fwS0FoOhJssFxAA02dDh+R6UDMrmgTbF5seLnsOAMnD+/ Cojrrj2QX7UNN0KTnaiWtdX+uvXrbNtVRlXX2XPhowzXGIwLrvsJr+P/HBQAXIFpgJD7 NMJcDC1eEbB7dENGUa36CexP20r38eJtRuuxDD8KQiXva2p1JEEy3w7EANhXBFjN0b/L P8fQ== X-Forwarded-Encrypted: i=1; AJvYcCUTzhHC/WZkpjNvYNe191tLuVZXSFYwi5n2kvmfcGJYaEyX1yxwds4Va7SAGTlV0Tb7oscWznAAFg0p+e3CEGCpSLQj X-Gm-Message-State: AOJu0Yx4ed2HE7cYxF0My7bscfJfdCteyq3JlQg8LFQwlewl2g0bNfRY ppqfXSnv2j0Y2UIcCIvU74D1zNfOIz2fw+AFEXbxLlA48ebuLpBZi85Gnl14Rgo7QBpNJigqK/c fX0hUr8ecvmTFSCHlb7bv3Dm71w0poeExye9K84yYVGEiP90iRg== X-Received: by 2002:a17:906:2310:b0:a45:cd64:9304 with SMTP id l16-20020a170906231000b00a45cd649304mr1084838eja.4.1709813022914; Thu, 07 Mar 2024 04:03:42 -0800 (PST) X-Google-Smtp-Source: AGHT+IGzxRMul53QJvzCt1FpjOjkAy9Db9mMqNTEKAFGHG8AoARu9Ljo7wQaDTa5HmnRj36WTcC6Kw== X-Received: by 2002:a17:906:2310:b0:a45:cd64:9304 with SMTP id l16-20020a170906231000b00a45cd649304mr1084819eja.4.1709813022503; Thu, 07 Mar 2024 04:03:42 -0800 (PST) Received: from alrua-x1.borgediget.toke.dk ([2a0c:4d80:42:443::2]) by smtp.gmail.com with ESMTPSA id o7-20020a1709062e8700b00a4558314ea0sm4349645eji.15.2024.03.07.04.03.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Mar 2024 04:03:42 -0800 (PST) Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id BED99112F37A; Thu, 7 Mar 2024 13:03:41 +0100 (CET) From: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , "David S. Miller" Cc: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= , bpf@vger.kernel.org Subject: [PATCH bpf v3 2/3] bpf: Fix hashtab overflow check on 32-bit arches Date: Thu, 7 Mar 2024 13:03:36 +0100 Message-ID: <20240307120340.99577-3-toke@redhat.com> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240307120340.99577-1-toke@redhat.com> References: <20240307120340.99577-1-toke@redhat.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net The hashtab code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. So apply the same fix to hashtab, by moving the overflow check to before the roundup. Fixes: daaf427c6ab3 ("bpf: fix arraymap NULL deref and missing overflow and zero size checks") Signed-off-by: Toke Høiland-Jørgensen --- kernel/bpf/hashtab.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 03a6a2500b6a..0cac6a65235c 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -499,7 +499,13 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr) num_possible_cpus()); } - /* hash table size must be power of 2 */ + /* hash table size must be power of 2; roundup_pow_of_two() can overflow + * into UB on 32-bit arches, so check that first + */ + err = -E2BIG; + if (htab->map.max_entries > 1UL << 31) + goto free_htab; + htab->n_buckets = roundup_pow_of_two(htab->map.max_entries); htab->elem_size = sizeof(struct htab_elem) + @@ -509,10 +515,8 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr) else htab->elem_size += round_up(htab->map.value_size, 8); - err = -E2BIG; - /* prevent zero size kmalloc and check for u32 overflow */ - if (htab->n_buckets == 0 || - htab->n_buckets > U32_MAX / sizeof(struct bucket)) + /* prevent zero size kmalloc */ + if (htab->n_buckets > U32_MAX / sizeof(struct bucket)) goto free_htab; err = bpf_map_init_elem_count(&htab->map); From patchwork Thu Mar 7 12:03:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= X-Patchwork-Id: 13585499 X-Patchwork-Delegate: bpf@iogearbox.net Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C431129A60 for ; Thu, 7 Mar 2024 12:03:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709813032; cv=none; b=avg5MZXJrCKybanc9Z5fKKiLv7mX37JidgKApcc+36Y240L+JG0TnYlenv0I/FnQWaUZcHyq/L4UdySVYWAbM6sMUhgUtWXyGUWVISGRRD+HXB22EW4Fzi/JaEAucBGTJRpW7EeMi13056qTUgPFodXP2X0C4Owrh+dgdvP0lGw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709813032; c=relaxed/simple; bh=ob31fbDIUi4BnR4ztra8TzX+2ZmW6HqiFUjDpv3N4XE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=NsTrh1AbXb90EcHl7zawjxb4ThHszNNaxTdApJVXtiBCcxSWh2lh7CL7Vvy9arlBqzT3zLvD+ERL/U6+4O2Qi6pTzkhbIqW83wFyAdA/4zE+Ij+FMLVligBXM5+Z5Tz6Kr7LXzYcjwB96ix7aOAODX0pp7Ndai+dTt2yewfVHhc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Y0f+QPe6; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Y0f+QPe6" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1709813028; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=enr9RLdNx5RYPog0dbXuBVJXCjr0y4Z/JCdIezvy51g=; b=Y0f+QPe6BXYWdlZLS/7P8ZBrSqj4QiTzozF81xH1Cpv34sdNvk+p2btA0MEubpNNTdxgws luSKPlqUQNIF+fMc3JmOuiVCkb/2bF92nK0KrPSBSu5ZSfmNA42cS8/P9QmEybk+drQboO r8QM1/OyIaT0r7thssym/8ZgMYi3gV8= Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-241-rVsQNybHMfi-Ss70abVi_g-1; Thu, 07 Mar 2024 07:03:47 -0500 X-MC-Unique: rVsQNybHMfi-Ss70abVi_g-1 Received: by mail-ej1-f69.google.com with SMTP id a640c23a62f3a-a44d0cb0596so57894966b.2 for ; Thu, 07 Mar 2024 04:03:46 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709813026; x=1710417826; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=enr9RLdNx5RYPog0dbXuBVJXCjr0y4Z/JCdIezvy51g=; b=j9Zajnru9a9FMNhKkrm4q9Jjaljttt6L72M2kdWNYCNd6P20GOBZc9OUVSLAkVYwso GeGo8NS56hnzdtwKdZwI4Y4YeaQVsa2NUXGYgfh0x7dhZnJGNHe8pngpq/F9vHpXjO1k t9dfzf0PKYRRtoUPGGJLhFfqCVMyihdZ5fywhb1GG/we05nStS3sJgUl3Cg0z8cvv+Pq /N9ARPsHK3GJq6NWYLiRCDyfOPyKHzXTJ+9biSSNuyHHhE18/JwHF6naBdNLRL+QwIId ytNA5wIFGS2pTMXHG5rnTeMWGb5GgqTvzGVbf/WWkbvldlCnj70Cf22WrXYvitqFeb79 aPlg== X-Forwarded-Encrypted: i=1; AJvYcCWGotH2Stg0zVAuGgFMV+uWtvKt5XJaXCQ/PI9zeGTVnUT/k+Q6o+lk3SePXaJqhXMHMYvJv7iDPkrq35Trrp0sqi4C X-Gm-Message-State: AOJu0Yzsle1Vv1gp3E6GQYLPuxf6EbliYbiwHcos5cUwaDhYyUi2yd8n wMalmaoIuOGil0IoNbwqh8yQfrB2AfAv/X6w1+j7iyVF+Z64SLtjzZTW/G8sLrVFxxhlCZFtP0A v8P5/FGFAjTAfP+F7GyOVPHRa3rG1wcw93lUcGsWbHivp1xEtgQ== X-Received: by 2002:a17:906:d0d6:b0:a45:ad59:cbc6 with SMTP id bq22-20020a170906d0d600b00a45ad59cbc6mr4854561ejb.26.1709813025630; Thu, 07 Mar 2024 04:03:45 -0800 (PST) X-Google-Smtp-Source: AGHT+IHkOsNkSbSWrdILA3gdj5tvVPYGAp9e+2hbBtjkj97Mvl8uK5uIlfO4Po0JaXdpqZlJZ0dceA== X-Received: by 2002:a17:906:d0d6:b0:a45:ad59:cbc6 with SMTP id bq22-20020a170906d0d600b00a45ad59cbc6mr4854540ejb.26.1709813025287; Thu, 07 Mar 2024 04:03:45 -0800 (PST) Received: from alrua-x1.borgediget.toke.dk ([45.145.92.2]) by smtp.gmail.com with ESMTPSA id d12-20020a1709067f0c00b00a4495c51f4esm6967642ejr.39.2024.03.07.04.03.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Mar 2024 04:03:42 -0800 (PST) Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id 10940112F37C; Thu, 7 Mar 2024 13:03:42 +0100 (CET) From: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Song Liu , Jiri Olsa , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Bui Quang Minh Cc: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= , bpf@vger.kernel.org Subject: [PATCH bpf v3 3/3] bpf: Fix stackmap overflow check on 32-bit arches Date: Thu, 7 Mar 2024 13:03:37 +0100 Message-ID: <20240307120340.99577-4-toke@redhat.com> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240307120340.99577-1-toke@redhat.com> References: <20240307120340.99577-1-toke@redhat.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net The stackmap code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. The commit in the fixes tag actually attempted to fix this, but the fix did not account for the UB, so the fix only works on CPUs where an overflow does result in a neat truncation to zero, which is not guaranteed. Checking the value before rounding does not have this problem. Fixes: 6183f4d3a0a2 ("bpf: Check for integer overflow when using roundup_pow_of_two()") Signed-off-by: Toke Høiland-Jørgensen Reviewed-by: Bui Quang Minh --- kernel/bpf/stackmap.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c index dff7ba539701..c99f8e5234ac 100644 --- a/kernel/bpf/stackmap.c +++ b/kernel/bpf/stackmap.c @@ -91,11 +91,14 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr) } else if (value_size / 8 > sysctl_perf_event_max_stack) return ERR_PTR(-EINVAL); - /* hash table size must be power of 2 */ - n_buckets = roundup_pow_of_two(attr->max_entries); - if (!n_buckets) + /* hash table size must be power of 2; roundup_pow_of_two() can overflow + * into UB on 32-bit arches, so check that first + */ + if (attr->max_entries > 1UL << 31) return ERR_PTR(-E2BIG); + n_buckets = roundup_pow_of_two(attr->max_entries); + cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap); smap = bpf_map_area_alloc(cost, bpf_map_attr_numa_node(attr)); if (!smap)