iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
67c05d9414512e1f9040d29e37e3d5533d8c51dd
linux/kernel
History
Daniel Borkmann 67c05d9414 bpf, array: fix overflow in max_entries and undefined behavior in index_mask 
commit bbeb6e4323 upstream.

syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
and thus unprivileged. With the recently added logic in b2157399cc
("bpf: prevent out-of-bounds speculation") we round this up to the next
power of two value for max_entries for unprivileged such that we can
apply proper masking into potentially zeroed out map slots.

However, this will generate an index_mask of 0xffffffff, and therefore
a + 1 will let this overflow into new max_entries of 0. This will pass
allocation, etc, and later on map access we still enforce on the original
attr->max_entries value which was 0xfffffffd, therefore triggering GPF
all over the place. Thus bail out on overflow in such case.

Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
space is undefined. Therefore, do this by hand in a 64 bit variable.

This fixes all the issues triggered by syzkaller's reproducers.

Fixes: b2157399cc ("bpf: prevent out-of-bounds speculation")
Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com
Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com
Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com
Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com
Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-17 09:45:25 +01:00
..
bpf
bpf, array: fix overflow in max_entries and undefined behavior in index_mask
2018-01-17 09:45:25 +01:00
cgroup
cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC
2018-01-17 09:45:18 +01:00
configs
ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.
2017-08-22 18:43:23 -07:00
debug
kdb: Fix handling of kallsyms_symbol_next() return value
2017-12-14 09:52:58 +01:00
events
locking/barriers: Convert users of lockless_dereference() to READ_ONCE()
2017-12-25 14:26:21 +01:00
gcov
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
irq
genirq: Track whether the trigger type has been set
2017-11-30 08:40:52 +00:00
livepatch
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
locking
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
power
PM / s2idle: Clear the events_check_enabled flag
2017-12-20 10:10:23 +01:00
printk
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
rcu
rcu: Fix up pending cbs check in rcu_prepare_for_idle
2017-11-24 08:37:04 +01:00
sched
membarrier: Disable preemption when calling smp_call_function_many()
2018-01-17 09:45:23 +01:00
time
nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick()
2018-01-02 20:31:16 +01:00
trace
ring-buffer: Do no reuse reader page if still in use
2018-01-02 20:31:03 +01:00
.gitignore
acct.c
kernel/acct.c: fix the acct->needcheck check in check_free_space()
2018-01-10 09:31:17 +01:00
async.c
async: Adjust system_state checks
2017-05-23 10:01:37 +02:00
audit_fsnotify.c
Merge branch 'fsnotify' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2017-05-03 11:05:15 -07:00
audit_tree.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
audit_watch.c
Merge tag 'audit-pr-20170816' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2017-08-16 16:48:34 -07:00
audit.c
audit: ensure that 'audit=1' actually enables audit for PID 1
2017-12-17 15:08:00 +01:00
audit.h
ipc: mqueue: Replace timespec with timespec64
2017-09-03 20:21:24 -04:00
auditfilter.c
audit: kernel generated netlink traffic should have a portid of 0
2017-05-02 10:16:05 -04:00
auditsc.c
Merge branch 'work.ipc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-09-14 17:37:26 -07:00
backtracetest.c
bounds.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
capability.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
compat.c
semtimedop(): move compat to native
2017-07-15 20:46:47 -04:00
configs.c
context_tracking.c
cpu_pm.c
PM / CPU: replace raw_notifier with atomic_notifier
2017-07-31 13:09:49 +02:00
cpu.c
timers: Reinitialize per cpu bases on hotplug
2018-01-02 20:31:15 +01:00
crash_core.c
kdump: protect vmcoreinfo data under the crash memory
2017-07-12 16:26:00 -07:00
crash_dump.c
cred.c
doc: ReSTify credentials.txt
2017-05-18 10:30:19 -06:00
delayacct.c
sched/headers: Prepare to move cputime functionality from <linux/sched.h> into <linux/sched/cputime.h>
2017-03-02 08:42:39 +01:00
dma.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
elfcore.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
exec_domain.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
exit.c
waitid(): Avoid unbalanced user_access_end() on access_ok() error
2017-10-20 15:32:54 -04:00
extable.c
extable: Enable RCU if it is not watching in kernel_text_address()
2017-09-23 16:50:20 -04:00
fork.c
arch, mm: Allow arch_dup_mmap() to fail
2017-12-29 17:53:43 +01:00
freezer.c
futex_compat.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
futex.c
Merge branch 'linus' into core/urgent, to pick up dependent commits
2017-11-04 08:53:04 +01:00
groups.c
kernel: make groups_sort calling a responsibility group_info allocators
2017-12-20 10:10:18 +01:00
hung_task.c
kernel/hung_task.c: defer showing held locks
2017-05-08 17:15:10 -07:00
irq_work.c
jump_label.c
jump_label: Invoke jump_label_test() via early_initcall()
2017-12-14 09:53:13 +01:00
kallsyms.c
kernel/kallsyms.c: replace all_var with IS_ENABLED(CONFIG_KALLSYMS_ALL)
2017-07-10 16:32:34 -07:00
kcmp.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
kexec_core.c
x86/mm, kexec: Allow kexec to be used with SME
2017-07-18 11:38:04 +02:00
kexec_file.c
kexec_file: adjust declaration of kexec_purgatory
2017-07-12 16:26:02 -07:00
kexec_internal.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
kexec.c
kdump: protect vmcoreinfo data under the crash memory
2017-07-12 16:26:00 -07:00
kmod.c
kmod: move #ifdef CONFIG_MODULES wrapper to Makefile
2017-09-08 18:26:51 -07:00
kprobes.c
kprobes: Use synchronize_rcu_tasks() for optprobe with CONFIG_PREEMPT=y
2017-12-10 13:40:40 +01:00
ksysfs.c
kexec: move vmcoreinfo out of the kernel's .bss section
2017-07-12 16:25:59 -07:00
kthread.c
kernel/kthread.c: kthread_worker: don't hog the cpu
2017-08-31 16:33:15 -07:00
latencytop.c
sched/headers: Prepare to move sched_info_on() and force_schedstat_enabled() from <linux/sched.h> to <linux/sched/stat.h>
2017-03-02 08:42:39 +01:00
Makefile
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
memremap.c
memremap: add scheduling point to devm_memremap_pages
2017-10-03 17:54:25 -07:00
module_signing.c
module-internal.h
module.c
module: fix ddebug_remove_module()
2017-07-25 15:08:32 +02:00
notifier.c
kernel/notifier.c: simplify expression
2017-02-24 17:46:56 -08:00
nsproxy.c
perf: Add PERF_RECORD_NAMESPACES to include namespaces related info
2017-03-13 15:57:41 -03:00
padata.c
padata: Avoid nested calls to cpus_read_lock() in pcrypt_init_padata()
2017-05-26 10:10:37 +02:00
panic.c
locking/refcounts, x86/asm: Implement fast refcount overflow protection
2017-08-17 10:40:26 +02:00
params.c
kernel/params.c: improve STANDARD_PARAM_DEF readability
2017-10-03 17:54:26 -07:00
pid_namespace.c
userns,pidns: Verify the userns for new pid namespaces
2017-07-20 07:43:58 -05:00
pid.c
pids: make task_tgid_nr_ns() safe
2017-08-21 12:47:31 -07:00
profile.c
sched/headers: Prepare to move sched_info_on() and force_schedstat_enabled() from <linux/sched.h> to <linux/sched/stat.h>
2017-03-02 08:42:39 +01:00
ptrace.c
signal: Remove kernel interal si_code magic
2017-07-24 14:30:28 -05:00
range.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
reboot.c
relay.c
Merge branch 'work.splice' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-05-02 11:38:06 -07:00
resource.c
seccomp.c
locking/barriers: Convert users of lockless_dereference() to READ_ONCE()
2017-12-25 14:26:21 +01:00
signal.c
kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal()
2018-01-10 09:31:20 +01:00
smp.c
treewide: make "nr_cpu_ids" unsigned
2017-09-08 18:26:48 -07:00
smpboot.c
watchdog/core, powerpc: Lock cpus across reconfiguration
2017-10-04 10:53:54 +02:00
smpboot.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
softirq.c
sched/core: Remove 'task' parameter and rename tsk_restore_flags() to current_restore_flags()
2017-04-11 09:06:32 +02:00
stacktrace.c
stacktrace/x86: add function for detecting reliable stack traces
2017-03-08 09:18:02 +01:00
stop_machine.c
stop_machine: Provide stop_machine_cpuslocked()
2017-05-26 10:10:36 +02:00
sys_ni.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
sys.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
sysctl_binary.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
sysctl.c
pipe: match pipe_max_size data type with procfs
2017-12-14 09:53:08 +01:00
task_work.c
locking/barriers: Convert users of lockless_dereference() to READ_ONCE()
2017-12-25 14:26:21 +01:00
taskstats.c
taskstats: add e/u/stime for TGID command
2017-05-08 17:15:12 -07:00
test_kprobes.c
torture.c
torture: Fix typo suppressing CPU-hotplug statistics
2017-07-25 13:04:45 -07:00
tracepoint.c
sched/headers: Prepare for new header dependencies before moving code to <linux/sched/task.h>
2017-03-02 08:42:35 +01:00
tsacct.c
sched/headers: Prepare to move cputime functionality from <linux/sched.h> into <linux/sched/cputime.h>
2017-03-02 08:42:39 +01:00
ucount.c
ucount: Remove the atomicity from ucount->count
2017-03-06 15:26:37 -06:00
uid16.c
kernel: make groups_sort calling a responsibility group_info allocators
2017-12-20 10:10:18 +01:00
umh.c
kmod: split out umh code into its own file
2017-09-08 18:26:50 -07:00
up.c
smp: Avoid using two cache lines for struct call_single_data
2017-08-29 15:14:38 +02:00
user_namespace.c
userns,pidns: Verify the userns for new pid namespaces
2017-07-20 07:43:58 -05:00
user-return-notifier.c
user.c
sched/headers: Prepare for new header dependencies before moving code to <linux/sched/user.h>
2017-03-02 08:42:29 +01:00
utsname_sysctl.c
sched/headers: Remove <linux/rwsem.h> from <linux/sched.h>
2017-03-03 01:45:36 +01:00
utsname.c
sched/headers: Prepare to move the task_lock()/unlock() APIs to <linux/sched/task.h>
2017-03-02 08:42:38 +01:00
watchdog_hld.c
Merge branch 'linus' into core/urgent, to pick up dependent commits
2017-11-04 08:53:04 +01:00
watchdog.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
workqueue_internal.h
Merge branch 'for-4.14-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq
2017-11-06 12:26:49 -08:00
workqueue.c
workqueue: replace pool->manager_arb mutex with a flag
2017-10-10 07:13:57 -07:00