Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp505067pxb; Wed, 27 Jan 2021 13:15:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJy1EGrjwxEwle+IDaNJGuqZIT75Xg0RuY+XxXKKQnAAEa+D0fKtSMOXurALT0RpSKoHQNSm X-Received: by 2002:a05:6402:151:: with SMTP id s17mr10249527edu.107.1611782109789; Wed, 27 Jan 2021 13:15:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611782109; cv=none; d=google.com; s=arc-20160816; b=q8upJbNO/3EnanAfbo7t5HFdlwdKGGF4Oat9rtMRClwRxp+h9NWmaRQo8T3RqlpWA9 EuKUA7af8/Z2c4KBGUdo3pCDzwlYU2xKDEdzoibROHyViCKovmSSXYheVf/rSFiG9Ux8 2DBszcMdWHekQfkG7bTRlucXVUYCxiq2Z3OXk3uRquMVmE1GCgff6B2x2yiWTTEJO/BO J/hZ4416YQnTmtUACCNHxkV1EwRgEl7JLKgvzw50i0UywvaPg6u91WaUrM1rwoHn0p8c W8mhwtpiy4sCfuO1VhjfvWdncK3JzqCPGpX7f552IX/QHzmLAKfAVfvAIja9YBkYnGOg nOng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=RmgqS7WyjiiRJi9z89KhXde85FYcLyN/Zij0A6xH6Vg=; b=T940YMpYOn0iFDpX06OCO/GFj5QH+wP+gOczrlrm2Eqkqa/942vLg4ZwlqsYCQNHy/ j7or/AXlyJwRc6Smps2C4tDydM/1cjj2GWjD3vbdyLuhVX77HZ+csTOMxxO5PLPBYKct DmsCcLBrnDLd08fxf4YsMHYPTjBycAQN0wWoR7YefXKffQSFUlRDuquguHsLWIsd/Y77 H6MQRb4KmnoxXypiP5TDWN3kE/ku3DcN13Hg2UwTOgKXTH75xz1fMJDu9c1G5HSfU668 e8cfTtV4XAXcvGnKSsDbvOxttfBUvIdMaDmnsWTMDlwurBbqLrpo8z0qA+iglPhcUaYf M5RQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RnKa9K+3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gw23si1335265ejb.145.2021.01.27.13.14.42; Wed, 27 Jan 2021 13:15:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RnKa9K+3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234813AbhA0FYy (ORCPT + 99 others); Wed, 27 Jan 2021 00:24:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37028 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231944AbhA0FKZ (ORCPT ); Wed, 27 Jan 2021 00:10:25 -0500 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A8D2AC06174A; Tue, 26 Jan 2021 21:09:45 -0800 (PST) Received: by mail-pl1-x62d.google.com with SMTP id e9so391299plh.3; Tue, 26 Jan 2021 21:09:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=RmgqS7WyjiiRJi9z89KhXde85FYcLyN/Zij0A6xH6Vg=; b=RnKa9K+3TRouGov1X7r8uImWnhCFlAivPGcaKhDgCwaW+BlBYVStKd9X2c+ERdkCqs DiNwcROLJFNuIruXq4aredzwhJEi/BK9aj9OAhe6veI7SNgaZIZNEQ1y7X4x8cPyHy7T gz7nlEbdjXWfKHoRY7QNvcRyBf3mVH98dVF0VZpmlVl02W75rF5JOgy7upQkDB7+R4qd zUsrceiyKSUv/U0vWD/9JABS9rUe31D/KC/uuxiclIrBkDyv+3Hd4VK5lOzi7cllAWul zC7aR11dEAU8YkrSeP7ml4XWuETVDBjyx9KQuZ8m83GGCr7BlqSEY3rOdvSA6f1tilq7 Tf/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=RmgqS7WyjiiRJi9z89KhXde85FYcLyN/Zij0A6xH6Vg=; b=oTvBDzOzRbQoNglVh+dhoB+9+Nmsut+3ArGgvDD8j62d7G/aYxZ3RbwxoPvBL9UEuT Ecs3Xri1GHhANUQ4KyndczwP3RK3U3HmDsX0zQDOyT4CtCDsSdoJPCKILxNXzstT/qdl v4U4J647tfpBEETXYBI2bX4Rl5HxOxDBNbg/TeXMtuqZHUaE+i8ml9ndbS7Sw6Sy4qVn Sv5Sep3qAVcpeH0sLK5pqkCUCgsdIt4uty4va5lvrrs7EpUlP355JS1E3Uo3iiiaG+Qy 8P771bUoGX3ETwEe/Q263X5tGBiirS9i6UZu+/aXdqs2gixjvYuMpcmoQyoJ12olTUVz TwrQ== X-Gm-Message-State: AOAM531BuWanll6E80sv+4MhO1uI2ZJJY5DQdeqbxxjOfVR6/XS+/KHJ A6emeGANbIdV5dm2ko+3hio= X-Received: by 2002:a17:90b:4c8e:: with SMTP id my14mr3637771pjb.30.1611724185071; Tue, 26 Jan 2021 21:09:45 -0800 (PST) Received: from ubuntu ([1.53.255.147]) by smtp.gmail.com with ESMTPSA id t129sm746515pfc.16.2021.01.26.21.09.40 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 26 Jan 2021 21:09:44 -0800 (PST) Date: Wed, 27 Jan 2021 12:09:37 +0700 From: Bui Quang Minh To: Lorenz Bauer Cc: Alexei Starovoitov , Daniel Borkmann , "David S . Miller" , Jakub Kicinski , hawk@kernel.org, John Fastabend , Andrii Nakryiko , Martin Lau , Song Liu , Yonghong Song , kpsingh@kernel.org, Jakub Sitnicki , Networking , bpf , LKML Subject: Re: [PATCH] bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc Message-ID: <20210127050937.GA5418@ubuntu> References: <20210126082606.3183-1-minhquangbui99@gmail.com> <20210127042341.GA4948@ubuntu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210127042341.GA4948@ubuntu> User-Agent: Mutt/1.9.4 (2018-02-28) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 27, 2021 at 11:23:41AM +0700, Bui Quang Minh wrote: > > * Seems like there are quite a few similar calls scattered around > > (cpumap, etc.). Did you audit these as well? > > I spotted another bug after re-auditting. In hashtab, there ares 2 places using > the same calls > > static struct bpf_map *htab_map_alloc(union bpf_attr *attr) > { > /* ... snip ... */ > if (htab->n_buckets == 0 || > htab->n_buckets > U32_MAX / sizeof(struct bucket)) > goto free_htab; > > htab->buckets = bpf_map_area_alloc(htab->n_buckets * > sizeof(struct bucket), > htab->map.numa_node); > } > > This is safe because of the above check. > > static int prealloc_init(struct bpf_htab *htab) > { > u32 num_entries = htab->map.max_entries; > htab->elems = bpf_map_area_alloc(htab->elem_size * num_entries, > htab->map.numa_node); > } > > This is not safe since there is no limit check in elem_size. So sorry but I rechecked and saw this bug in hashtab has been fixed with commit e1868b9e36d0ca Thank you, Quang Minh.