Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4698392pxj;
        Wed, 12 May 2021 11:08:51 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz0yqbUjXssqhfdu8jQOew7sKrQRggNBPoJlD5YbJXlM7lrCbySx9PoiINPucr/rQ9qu8BS
X-Received: by 2002:aa7:c7c5:: with SMTP id o5mr44646913eds.31.1620842931463;
        Wed, 12 May 2021 11:08:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620842931; cv=none;
        d=google.com; s=arc-20160816;
        b=uiskqZYPSY7v6kfLOHwZPAdRoiSK4u9loOTBUxImvVgE9YmcsrhxEHCrpsiVv0VnBx
         rqYckQ0aT+SOk5Makw9Z78/mF9FaKjVjSHaxwob0kFwAoW+zZpWVgRGnu2S49RTH/Ra8
         5mt9D+4o5m9lgTSTJWJvZi6xFrGNPvAarYK1nv/lodaUkqoPtXGZHvIJobBwI8ldTUAr
         qpt8kcW5jiVDVfIs1gIt/I6SW+5EO63r1pTBIy0m+bEpuSbkI/gqjWLXKZsWZ3XZSoyU
         nozX7toI7/ouElrJxE5z7Dtul0qnboRT91bnYmAZor1dZwHrYL0CgYqkk0/5vC/b8uxw
         qlkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=RqL0Qy9x3DKEn/yxqsAz18iMj3jttcw3RCGAJhgljo0=;
        b=JnxhBFD96ivXfmZvHUcywWmIPqS2jd5FyLqEoyEBli2Fa+yMktXClo9rWwcpUQu4qy
         L8h6f6RZ1TUjNGIhWGww3z3brLudJmIznDepVIf0jeFFPAA3h9uO9nsbv3xstOfeGGjQ
         i44jKD/5AoTW5Mv+JITlbVk36dccGiSOVj29PrQMO4DDmoqmajAi9NDN1Rz9TJ4FT5sD
         SldRnHKQ2W/mhbDF+KNvh4fdNzYndn1k3mLt6O8REolWXHWFJndDoGH+UpKCZz8VDb+t
         CRs9vOAFdW0sQT+VYroJP42SKbq3tnWHNr83MgiInjKbu6ITsIlsqF81VBKs+LAk+st6
         2OlA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=d7qbfxKB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m17si327391edq.535.2021.05.12.11.08.28;
        Wed, 12 May 2021 11:08:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=d7qbfxKB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1351650AbhELSBg (ORCPT <rfc822;lkmlinbox@gmail.com> + 99 others);
        Wed, 12 May 2021 14:01:36 -0400
Received: from mail.kernel.org ([198.145.29.99]:40576 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S241108AbhELQ0Y (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 May 2021 12:26:24 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id D5510619C5;
        Wed, 12 May 2021 15:49:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1620834583;
        bh=iL9F0uU2nkg5CIRC/Gc/9Qbk5I/M2tuzeiAsq5MVDQM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=d7qbfxKBmzNDiHGdtJc2kV8axOQ1Kffwxcr+lejDaiXCkc2URhcw07jJlQzM8QQem
         iDcgOu2IKHypUEkrQPaxwL8FT9mE82buO4PwqqqsTMRLCJe/5uqmKzkQmqL1o7jYuJ
         2Gf0DoR8uhjxXs1nB/zD9vk7O4URjHp7uJZjzIbY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Thadeu Lima de Souza Cascardo <cascardo@canonical.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>,
        Alexei Starovoitov <ast@kernel.org>
Subject: [PATCH 5.11 596/601] bpf, ringbuf: Deny reserve of buffers larger than ringbuf
Date:   Wed, 12 May 2021 16:51:13 +0200
Message-Id: <20210512144847.483743346@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210512144827.811958675@linuxfoundation.org>
References: <20210512144827.811958675@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

commit 4b81ccebaeee885ab1aa1438133f2991e3a2b6ea upstream.

A BPF program might try to reserve a buffer larger than the ringbuf size.
If the consumer pointer is way ahead of the producer, that would be
successfully reserved, allowing the BPF program to read or write out of
the ringbuf allocated area.

Reported-by: Ryota Shiga (Flatt Security)
Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/ringbuf.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/kernel/bpf/ringbuf.c
+++ b/kernel/bpf/ringbuf.c
@@ -315,6 +315,9 @@ static void *__bpf_ringbuf_reserve(struc
 		return NULL;
 
 	len = round_up(size + BPF_RINGBUF_HDR_SZ, 8);
+	if (len > rb->mask + 1)
+		return NULL;
+
 	cons_pos = smp_load_acquire(&rb->consumer_pos);
 
 	if (in_nmi()) {