Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966158AbeAJQXo (ORCPT + 1 other); Wed, 10 Jan 2018 11:23:44 -0500 Received: from www62.your-server.de ([213.133.104.62]:55584 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965681AbeAJQXn (ORCPT ); Wed, 10 Jan 2018 11:23:43 -0500 Subject: Re: general protection fault in cgroup_fd_array_put_ptr From: Daniel Borkmann To: syzbot , ast@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <001a114fcf2ce7d12705626b943d@google.com> Message-ID: <2e683b78-bd9e-bbb6-c9bb-3ff46a16ef6e@iogearbox.net> Date: Wed, 10 Jan 2018 17:23:38 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On 01/10/2018 04:30 PM, Daniel Borkmann wrote: > On 01/10/2018 01:58 PM, syzbot wrote: >> Hello, >> >> syzkaller hit the following crash on b4464bcab38d3f7fe995a7cb960eeac6889bec08 >> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached >> Raw console output is attached. >> C reproducer is attached >> syzkaller reproducer is attached. See https://goo.gl/kgGztJ >> for information about syzkaller reproducers > > Currently looking into all of the reports. Looks they're all related to fd array > map. Will get back once I have some more data & managed to reproduce. Ok, I know what's going on. Very roughly, we need something like the below to check for overflows, this definitely fixes it for me. Cooking a proper patch and doing some more analysis around it. diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c index aaa3198..454f52c 100644 --- a/kernel/bpf/arraymap.c +++ b/kernel/bpf/arraymap.c @@ -76,11 +76,17 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) max_entries = attr->max_entries; index_mask = roundup_pow_of_two(max_entries) - 1; - if (unpriv) + if (unpriv) { /* round up array size to nearest power of 2, * since cpu will speculate within index_mask limits */ max_entries = index_mask + 1; + if (max_entries < attr->max_entries) + return ERR_PTR(-E2BIG); + } array_size = sizeof(*array); if (percpu)