Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4641746pxj;
        Wed, 12 May 2021 09:53:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyU6yL/P8PlZaD2u4HDKa1ifWGn/x3LuqPmxkp84aksNUHBlCIXMBakuN/4o9rvkimt34Ma
X-Received: by 2002:a2e:9116:: with SMTP id m22mr29273397ljg.176.1620838393746;
        Wed, 12 May 2021 09:53:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620838393; cv=none;
        d=google.com; s=arc-20160816;
        b=1F8JNmgBLUPU4sLCbcRPIcQwtYxyYUZkxQQUzso/lUUwtMyad7X6pPn57rNLWfCjSy
         fIYUKnXj1CJ2EBYTo+4JEYScPMapZCm1xU5QijKI82W1mu+7LDaYuMtf0/L/jiYF3Nt6
         F7lqadRRnrCby9uDjcFXHioxPrIa0/hv+gemGILAFsB2N6Tb27RBs/nqLTTPckkcQ1J9
         lnFMSkxMpsZlw7CB0kHKfLGaph5mVqQjWPohgwQ9W9nIt0z5DXVepQiM0+TfI3NyUf7g
         bJsFJX1CIDk4pjf7vF+nsGGREw3mYkre6LO9u/i3pqikkIa7wAaaUVYLK1iG5unz+tej
         sIgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=qogAu+2ofDYtze1UX6WK7Z3kLmdrZJv50lZbxhak63w=;
        b=X1UET44arqVyWiJk/EXr2IvIaKX25CLKE6WIbNQPHws4S/4AReWFe4CQyzzVYfJYmP
         JcMN6yPvjq7H6lZBy5m4mnODQOB2F1UKJKVbwGhCa4JKNlEaKGq1umWMJylt5sQ6p5nY
         e7VCxLyD88Y3TRa4/WHNRV8re1hpmqMrTOC1+Ix4TeLhzctTcPHgBaemtbF2nNOVxNRz
         Rxg6OjJ2hybejp7MWjfDG4oY+ozdWwMDQj+DaOBv8inZ86eqhkPprW5SOpycsddTeOlX
         oMsAQASG6i6AKP9+cTTSiWMA+ghmrIpbivg2s7AnnaTQ/INOOdCTkIpQs13jma60uCSa
         WrzA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="I5A/slMD";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 14si478251lfq.128.2021.05.12.09.52.37;
        Wed, 12 May 2021 09:53:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="I5A/slMD";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235294AbhELQrd (ORCPT <rfc822;lkmlinbox@gmail.com> + 99 others);
        Wed, 12 May 2021 12:47:33 -0400
Received: from mail.kernel.org ([198.145.29.99]:50860 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S237064AbhELPsI (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 May 2021 11:48:08 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 192A061CAE;
        Wed, 12 May 2021 15:24:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1620833073;
        bh=ZLkUJ4qqa5EA5cBiHgrrIc0t+Xm4tzFP8hLxBcO1HA4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=I5A/slMDBExaRpmwScv1JZMhyHk7DBjPAEo31h//q0VsoIM3JRbcLLrNwWxB0nGZm
         MrMQH3EvuLpdJvzuZBt8pus26NMY3C7mdWOGtuSRwDQDMmR5d/KMODqEbLQfhCt1z8
         LNCbeTOOEHRp/MFiHKSqdmhnusmx+lGIYReR3BxU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Thadeu Lima de Souza Cascardo <cascardo@canonical.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>,
        Alexei Starovoitov <ast@kernel.org>
Subject: [PATCH 5.10 524/530] bpf, ringbuf: Deny reserve of buffers larger than ringbuf
Date:   Wed, 12 May 2021 16:50:34 +0200
Message-Id: <20210512144836.969469485@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210512144819.664462530@linuxfoundation.org>
References: <20210512144819.664462530@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

commit 4b81ccebaeee885ab1aa1438133f2991e3a2b6ea upstream.

A BPF program might try to reserve a buffer larger than the ringbuf size.
If the consumer pointer is way ahead of the producer, that would be
successfully reserved, allowing the BPF program to read or write out of
the ringbuf allocated area.

Reported-by: Ryota Shiga (Flatt Security)
Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/ringbuf.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/kernel/bpf/ringbuf.c
+++ b/kernel/bpf/ringbuf.c
@@ -334,6 +334,9 @@ static void *__bpf_ringbuf_reserve(struc
 		return NULL;
 
 	len = round_up(size + BPF_RINGBUF_HDR_SZ, 8);
+	if (len > rb->mask + 1)
+		return NULL;
+
 	cons_pos = smp_load_acquire(&rb->consumer_pos);
 
 	if (in_nmi()) {