Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp615364pxb; Wed, 27 Jan 2021 16:52:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJwdHYRQRFqx4IudEU8VXoem5U5kUUtq1SOj+fcNfxKKJPCVWdONch87TMBaPWuqwGBTd+DZ X-Received: by 2002:a17:906:828a:: with SMTP id h10mr8960097ejx.274.1611795153259; Wed, 27 Jan 2021 16:52:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611795153; cv=none; d=google.com; s=arc-20160816; b=Bp+OymY4EIN9zV0TMnhbMAFMp45xMZs/hrkCcDNnSAhfsV0gRz4ifN9+EPjqigLaYM 3FapRNiMcdSpwjEkHBDLqB+tqAwISjQaEbZHJeYXDf9uTHKb28jbl72jLBKLmlVCxy3w kCLf0OaQpvdTURV07vrZCMhuQ4ikex0lNEcAGbGplP8/Y3gAam8wrPrYEl0k++mVl+Zc UPKK3I7K4qKGkrysN4eFm+mXcb5JsNTpgyaowabg6QQfchjJu4XkD6/RIlgTouGjYJat 1xZj6ZK5vGDeGALeIoeiYRLwJuW/EHicNK18tJWrtAlfpvRUii/8BRUEAXTY/fAT9IEE UZ9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=8tCpelCCGQHPlw7Y/waRAZfJ+A77zM5wbetrnN/Z+4w=; b=QDbCY2i/1yCTH9yDZZfu/y0/D7rlIszW9fUnBc1O5F5bl3CvZyM2x4EAWi2VFVyLw5 FprcItcsYQW4m0jzI3XXxnyJT2dmCWC+aD/xF4jtZN3ntCfszaLjQ9iMRWtDt+t3nWwE RY5JJRpH3fYUsayPzqHu+9zQnFp9H9zIJksH1fUEDWROdzstV9n7NqgKjKI/60dmx3a3 uWR4d00uLvVkIkUL07OoaELqckMugyFefVE34bCjHlH6fDJFOlA1rrD3m8sPwE9lPAPF xq3vmoLQq+xajTMTpvVPP++XqmzU38v+ba5fwB3JRvvSKfBBUGEHh06xMqU8sIJjgxMV OuHg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i23si1774994eds.490.2021.01.27.16.52.09; Wed, 27 Jan 2021 16:52:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231389AbhA1Amz (ORCPT + 99 others); Wed, 27 Jan 2021 19:42:55 -0500 Received: from www62.your-server.de ([213.133.104.62]:39700 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231445AbhA1Ama (ORCPT ); Wed, 27 Jan 2021 19:42:30 -0500 Received: from sslproxy02.your-server.de ([78.47.166.47]) by www62.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1l4vNP-0007JP-Oa; Thu, 28 Jan 2021 01:41:35 +0100 Received: from [85.7.101.30] (helo=pc-9.home) by sslproxy02.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1l4vNP-000Pcf-ET; Thu, 28 Jan 2021 01:41:35 +0100 Subject: Re: [PATCH] bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc To: Bui Quang Minh , Lorenz Bauer Cc: Alexei Starovoitov , "David S . Miller" , Jakub Kicinski , hawk@kernel.org, John Fastabend , Andrii Nakryiko , Martin Lau , Song Liu , Yonghong Song , kpsingh@kernel.org, Jakub Sitnicki , Networking , bpf , LKML References: <20210126082606.3183-1-minhquangbui99@gmail.com> <20210127042341.GA4948@ubuntu> From: Daniel Borkmann Message-ID: Date: Thu, 28 Jan 2021 01:41:34 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <20210127042341.GA4948@ubuntu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.102.4/26062/Wed Jan 27 13:26:15 2021) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/27/21 5:23 AM, Bui Quang Minh wrote: > On Tue, Jan 26, 2021 at 09:36:57AM +0000, Lorenz Bauer wrote: >> On Tue, 26 Jan 2021 at 08:26, Bui Quang Minh wrote: >>> >>> In 32-bit architecture, the result of sizeof() is a 32-bit integer so >>> the expression becomes the multiplication between 2 32-bit integer which >>> can potentially leads to integer overflow. As a result, >>> bpf_map_area_alloc() allocates less memory than needed. >>> >>> Fix this by casting 1 operand to u64. >> >> Some quick thoughts: >> * Should this have a Fixes tag? > > Ok, I will add Fixes tag in later version patch. > >> * Seems like there are quite a few similar calls scattered around >> (cpumap, etc.). Did you audit these as well? > [...] > In cpumap, > > static struct bpf_map *cpu_map_alloc(union bpf_attr *attr) > { > cmap->cpu_map = bpf_map_area_alloc(cmap->map.max_entries * > sizeof(struct bpf_cpu_map_entry *), > cmap->map.numa_node); > } > > I think this is safe because max_entries is not permitted to be larger than NR_CPUS. Yes. > In stackmap, there is a place that I'm not very sure about > > static int prealloc_elems_and_freelist(struct bpf_stack_map *smap) > { > u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size; > smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries, > smap->map.numa_node); > } > > This is called after another bpf_map_area_alloc in stack_map_alloc(). In the first > bpf_map_area_alloc() the argument is calculated in an u64 variable; so if in the second > one, there is an integer overflow then the first one must be called with size > 4GB. I > think the first one will probably fail (I am not sure about the actual limit of vmalloc()), > so the second one might not be called. I would sanity check this as well. Looks like k*alloc()/v*alloc() call sites typically use array_size() which returns SIZE_MAX on overflow, 610b15c50e86 ("overflow.h: Add allocation size calculation helpers"). Thanks, Daniel