iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/kernel
History
Daniel Borkmann bbeb6e4323 bpf, array: fix overflow in max_entries and undefined behavior in index_mask 
syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
and thus unprivileged. With the recently added logic in b2157399cc98
("bpf: prevent out-of-bounds speculation") we round this up to the next
power of two value for max_entries for unprivileged such that we can
apply proper masking into potentially zeroed out map slots.

However, this will generate an index_mask of 0xffffffff, and therefore
a + 1 will let this overflow into new max_entries of 0. This will pass
allocation, etc, and later on map access we still enforce on the original
attr->max_entries value which was 0xfffffffd, therefore triggering GPF
all over the place. Thus bail out on overflow in such case.

Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
space is undefined. Therefore, do this by hand in a 64 bit variable.

This fixes all the issues triggered by syzkaller's reproducers.

Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation")
Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com
Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com
Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com
Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com
Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2018-01-10 14:46:39 -08:00
..
bpf
bpf, array: fix overflow in max_entries and undefined behavior in index_mask
2018-01-10 14:46:39 -08:00
cgroup
cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
2017-12-20 07:09:19 -08:00
configs
ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.
2017-08-22 18:43:23 -07:00
debug
kdb: Fix handling of kallsyms_symbol_next() return value
2017-12-06 16:12:43 -06:00
events
locking/barriers: Convert users of lockless_dereference() to READ_ONCE()
2017-12-17 13:57:15 +01:00
gcov
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
irq
genirq/msi, x86/vector: Prevent reservation mode for non maskable MSI
2017-12-29 21:13:05 +01:00
livepatch
Merge branch 'for-linus' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching
2017-11-15 10:21:58 -08:00
locking
locking/lockdep: Remove the cross-release locking checks
2017-12-12 12:38:51 +01:00
power
Revert "cpuset: Make cpuset hotplug synchronous"
2017-12-04 14:41:11 -08:00
printk
remove task and stack pointer printout from oops dump
2017-12-05 08:23:20 -08:00
rcu
Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-11-13 17:56:58 -08:00
sched
cpufreq: schedutil: Use idle_calls counter of the remote CPU
2017-12-28 12:26:54 +01:00
time
Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-12-31 12:30:34 -08:00
trace
tracing: Fix possible double free on failure of allocating trace buffer
2017-12-27 14:21:27 -05:00
.gitignore
acct.c
kernel/acct.c: fix the acct->needcheck check in check_free_space()
2018-01-04 16:45:09 -08:00
async.c
async: Adjust system_state checks
2017-05-23 10:01:37 +02:00
audit_fsnotify.c
Merge branch 'fsnotify' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2017-05-03 11:05:15 -07:00
audit_tree.c
Merge branch 'fsnotify' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2017-11-14 14:08:20 -08:00
audit_watch.c
audit/stable-4.13 PR 20170816
2017-08-16 16:48:34 -07:00
audit.c
Audit: remove unused audit_log_secctx function
2017-11-10 16:08:47 -05:00
audit.h
audit/stable-4.15 PR 20171113
2017-11-15 13:28:48 -08:00
auditfilter.c
audit: filter PATH records keyed on filesystem magic
2017-11-10 16:08:56 -05:00
auditsc.c
audit/stable-4.15 PR 20171113
2017-11-15 13:28:48 -08:00
backtracetest.c
bounds.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
capability.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
compat.c
sched_rr_get_interval(): move compat to native, get rid of set_fs()
2017-09-20 00:30:57 -04:00
configs.c
context_tracking.c
cpu_pm.c
PM / CPU: replace raw_notifier with atomic_notifier
2017-07-31 13:09:49 +02:00
cpu.c
Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-12-31 12:30:34 -08:00
crash_core.c
kdump: print a message in case parse_crashkernel_mem resulted in zero bytes
2017-11-17 16:10:03 -08:00
crash_dump.c
cred.c
doc: ReSTify credentials.txt
2017-05-18 10:30:19 -06:00
delayacct.c
dma.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
elfcore.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
exec_domain.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
exit.c
kernel/exit.c: export abort() to modules
2018-01-04 16:45:09 -08:00
extable.c
kprobes, x86/alternatives: Use text_mutex to protect smp_alt_modules
2017-11-07 12:20:09 +01:00
fork.c
Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-12-23 11:53:04 -08:00
freezer.c
futex_compat.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
futex.c
futex: futex_wake_op, fix sign_extend32 sign bits
2017-12-10 12:50:57 -08:00
groups.c
kernel: make groups_sort calling a responsibility group_info allocators
2017-12-14 16:00:49 -08:00
hung_task.c
kernel/hung_task.c: defer showing held locks
2017-05-08 17:15:10 -07:00
irq_work.c
Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-11-13 17:33:11 -08:00
jump_label.c
jump_label: Invoke jump_label_test() via early_initcall()
2017-11-14 08:41:41 +01:00
kallsyms.c
kallsyms: take advantage of the new '%px' format
2017-11-29 10:30:13 -08:00
kcmp.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c
kcov: fix comparison callback signature
2017-12-14 16:00:48 -08:00
kexec_core.c
x86/mm, kexec: Allow kexec to be used with SME
2017-07-18 11:38:04 +02:00
kexec_file.c
resource: Provide resource struct in resource walk callback
2017-11-07 15:35:57 +01:00
kexec_internal.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
kexec.c
kdump: protect vmcoreinfo data under the crash memory
2017-07-12 16:26:00 -07:00
kmod.c
kmod: move #ifdef CONFIG_MODULES wrapper to Makefile
2017-09-08 18:26:51 -07:00
kprobes.c
kprobes: Disable the jprobes APIs
2017-10-20 11:02:29 +02:00
ksysfs.c
kexec: move vmcoreinfo out of the kernel's .bss section
2017-07-12 16:25:59 -07:00
kthread.c
treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts
2017-11-21 16:35:54 -08:00
latencytop.c
Makefile
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
memremap.c
memremap: add scheduling point to devm_memremap_pages
2017-10-03 17:54:25 -07:00
module_signing.c
module-internal.h
module.c
kallsyms: take advantage of the new '%px' format
2017-11-29 10:30:13 -08:00
notifier.c
nsproxy.c
padata.c
treewide: setup_timer() -> timer_setup()
2017-11-21 15:57:07 -08:00
panic.c
kernel/panic.c: add TAINT_AUX
2017-11-17 16:10:04 -08:00
params.c
kernel/params.c: improve STANDARD_PARAM_DEF readability
2017-10-03 17:54:26 -07:00
pid_namespace.c
pid: remove pidhash
2017-11-17 16:10:04 -08:00
pid.c
pid: Handle failure to allocate the first pid in a pid namespace
2017-12-23 21:00:09 -06:00
profile.c
ptrace.c
signal: Remove kernel interal si_code magic
2017-07-24 14:30:28 -05:00
range.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
reboot.c
kernel/reboot.c: add devm_register_reboot_notifier()
2017-11-17 16:10:04 -08:00
relay.c
resource.c
x86/mm, resource: Use PAGE_KERNEL protection for ioremap of memory pages
2017-11-07 15:35:58 +01:00
seccomp.c
locking/barriers: Convert users of lockless_dereference() to READ_ONCE()
2017-12-17 13:57:15 +01:00
signal.c
Merge branch 'akpm' (patches from Andrew)
2017-11-17 16:56:17 -08:00
smp.c
smp/core: Use lockdep to assert IRQs are disabled/enabled
2017-11-08 11:13:50 +01:00
smpboot.c
watchdog/core, powerpc: Lock cpus across reconfiguration
2017-10-04 10:53:54 +02:00
smpboot.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
softirq.c
kmemcheck: rip it out
2017-11-15 18:21:05 -08:00
stacktrace.c
stop_machine.c
stop_machine: Provide stop_machine_cpuslocked()
2017-05-26 10:10:36 +02:00
sys_ni.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
sys.c
arm64 updates for 4.15
2017-11-15 10:56:56 -08:00
sysctl_binary.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
sysctl.c
kernel/sysctl.c: code cleanups
2017-11-17 16:10:03 -08:00
task_work.c
locking/barriers: Convert users of lockless_dereference() to READ_ONCE()
2017-12-17 13:57:15 +01:00
taskstats.c
taskstats: add e/u/stime for TGID command
2017-05-08 17:15:12 -07:00
test_kprobes.c
kprobes: Disable the jprobes test code
2017-10-20 11:02:54 +02:00
torture.c
torture: Fix typo suppressing CPU-hotplug statistics
2017-07-25 13:04:45 -07:00
tracepoint.c
tsacct.c
ucount.c
uid16.c
kernel: make groups_sort calling a responsibility group_info allocators
2017-12-14 16:00:49 -08:00
umh.c
kernel/umh.c: optimize 'proc_cap_handler()'
2017-11-17 16:10:01 -08:00
up.c
smp: Avoid using two cache lines for struct call_single_data
2017-08-29 15:14:38 +02:00
user_namespace.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2017-11-16 12:20:15 -08:00
user-return-notifier.c
user.c
userns: use union in {g,u}idmap struct
2017-10-31 17:22:58 -05:00
utsname_sysctl.c
utsname.c
watchdog_hld.c
Merge branch 'linus' into core/urgent, to pick up dependent commits
2017-11-04 08:53:04 +01:00
watchdog.c
Merge branch 'linus' into sched/core, to pick up fixes
2017-11-08 10:17:15 +01:00
workqueue_internal.h
Merge branch 'for-4.14-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq
2017-11-06 12:26:49 -08:00
workqueue.c
workqueue: remove unneeded kallsyms include
2017-12-11 07:15:43 -08:00