Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp3455196pxb; Mon, 6 Sep 2021 23:07:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxDvwQt7n/Rz9Qr2eJcnLXRJX+N5tXBEHh1HJS4UKOrU7KlksngYrA/odGSV7Q3a5cjW0hg X-Received: by 2002:a05:6602:1246:: with SMTP id o6mr12925253iou.173.1630994840472; Mon, 06 Sep 2021 23:07:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630994840; cv=none; d=google.com; s=arc-20160816; b=H4jwAjp30CkCyAo+2CSUnDlqFhhspS6XmW52Je6rDLO3fVH+LPy3FleyUK5npZFLbb Uu2y4oRL2jzdhNdcZ28y3l5R81ivQ4HXr0vfZnfSU20RGsgpXhFLZU9SsxKcVaWaIxgF KxGMwczZ1DTq/Uu5fGYBEHx4/97ngPjE9D8TfIKpb17jli44iV756lWks72cCfhUrZtd wGVFo8sGyzgrLR0mqmPk/v2+7GNE+h6JlZkySvAD7vI16dehi1TV2WmzVxd3Laf6cYOx EtthxE5DmtwcHvPrFvOVzXgZyejT/tpPyvnG1+mrpZymIL2Fu6tWrOQxJJ8/fpBjnM2a N8NQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=vrfkGbhnJZqJymhTf+BbTrTH30zU+v7yiC+UbWhkZyU=; b=IgjfYWctSgt+YW95251lNaWMOv5JXHKcC2/HDPjcnQDqEIpSe20NU7aovBEDYH+fZs dDfcheO7N7EvHe7Jh4VJXBo8BXPI1vdb1n4vsO1SCwhaB/KWKfiqy6bTgfxYxLOBlIJk n9obDkL8O3Is4F3URJI+GTqoY0KCGpgUvTexwvHoISDriDVFmRQlHPrDQ4NpNK1lc3kd IPtX16w8F1rdSHgXTi54wALA4ZZxmT/g/Jp9RFviXHGb95vjk9AJ0wxXesKs+gYDHi+B L2cD1Rtz9iK11HB3D948A/FBwCkRhGT6BQnoqM1G8PmB/G46WK0BqoK15Ahy3wSYijw9 obTg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h14si8971338ile.129.2021.09.06.23.07.08; Mon, 06 Sep 2021 23:07:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230286AbhIGGFm (ORCPT + 99 others); Tue, 7 Sep 2021 02:05:42 -0400 Received: from szxga01-in.huawei.com ([45.249.212.187]:9008 "EHLO szxga01-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229624AbhIGGFh (ORCPT ); Tue, 7 Sep 2021 02:05:37 -0400 Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4H3ZT75R2JzVrMP; Tue, 7 Sep 2021 14:03:39 +0800 (CST) Received: from dggpemm500004.china.huawei.com (7.185.36.219) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Tue, 7 Sep 2021 14:04:29 +0800 Received: from huawei.com (10.174.28.241) by dggpemm500004.china.huawei.com (7.185.36.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Tue, 7 Sep 2021 14:04:29 +0800 From: Bixuan Cui To: , CC: , , , , , , , Subject: [PATCH -next] bpf: Add oversize check before call kvcalloc() Date: Tue, 7 Sep 2021 14:00:40 +0800 Message-ID: <20210907060040.36222-1-cuibixuan@huawei.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.174.28.241] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm500004.china.huawei.com (7.185.36.219) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the oversize check. When the allocation is larger than what kmalloc() supports, the following warning triggered: WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597 Modules linked in: CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597 Call Trace: kvmalloc include/linux/mm.h:806 [inline] kvmalloc_array include/linux/mm.h:824 [inline] kvcalloc include/linux/mm.h:829 [inline] check_btf_line kernel/bpf/verifier.c:9925 [inline] check_btf_info kernel/bpf/verifier.c:10049 [inline] bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759 bpf_prog_load kernel/bpf/syscall.c:2301 [inline] __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com Signed-off-by: Bixuan Cui --- kernel/bpf/verifier.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 047ac4b4703b..2a3955359156 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9912,6 +9912,8 @@ static int check_btf_line(struct bpf_verifier_env *env, nr_linfo = attr->line_info_cnt; if (!nr_linfo) return 0; + if (nr_linfo * sizeof(struct bpf_line_info) > INT_MAX) + return -EINVAL; rec_size = attr->line_info_rec_size; if (rec_size < MIN_BPF_LINEINFO_SIZE || -- 2.17.1