Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp1915837pxb; Fri, 10 Sep 2021 18:01:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJysvncxEaqr2WAkwOXOdroKLErKG5Kq7csvz+DY8QupidXoAiH6j1JXSIyQT+OSFIwVNL7o X-Received: by 2002:aa7:db17:: with SMTP id t23mr616055eds.387.1631322106265; Fri, 10 Sep 2021 18:01:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631322106; cv=none; d=google.com; s=arc-20160816; b=UosJSbptrltpSpWvIs5ucxi14CAgYVYfphJxaxduOq5xDlQgQBohbWLfxY3F7Z8fbl Dhp+gUCaer7h3Qpu392zva1VWwWLrkuXXzBrox2Blc4xQrnjJ8RNqQpJ0bg7mkTpewnj YS3WETBajLcVaOLbUUms2+pYR54HyzvX6b7vshiJx+Glx9KL2WuUQPmf26QGoDP195LG SILnzeaccUFplX8rmHn8p1LPfchQ7XwjKJOqoxIMy1mSKRLbrVb4JEW6kXdBrGBvDZD9 HTLzAEnahsjCdG3R2tpNzzv/hBT9AdcKubjuHuntGzL86E8LjbkT/ZzAPKKIDHt0R6ix X43Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=+xNSvkz3GCPcYSnEg2833NmNvdius/Rt+plG//DP7DE=; b=de240tv8nLMLrb9yjSAdUmV1duSB+O4Itmk1SyphUa7j0kNI7T8D/EhoVK3v1TB7gR xr2jbw30OM2vMXFghtB5Z+CYWRQiztYRvmrdycvWS6gjIycKn+KvGfIn39+kiM70g31+ 4zAZISsR1jAzVBmuNISarJiqB1YOZQsnRRVQ4WrOS7lJPSu6nzDXxG6un/diO5KTljyu t/EKfhu88xgAB20RBRdiTM3uUJImFoCydJIvUBCTPRzxDYIAq9C2MGBmVZS/DyAcaft/ LnGv/EM2thyw/cA2prVW1ZzxRMHBRVKNbC8bb5av7e6hQSYoalvtRZwNfZ401nXIFrpn 92Fw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j19si246507edq.322.2021.09.10.18.01.19; Fri, 10 Sep 2021 18:01:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235005AbhIKBBH (ORCPT + 99 others); Fri, 10 Sep 2021 21:01:07 -0400 Received: from szxga08-in.huawei.com ([45.249.212.255]:16186 "EHLO szxga08-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229493AbhIKBBH (ORCPT ); Fri, 10 Sep 2021 21:01:07 -0400 Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.56]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4H5vWk5BsDz1DGp2; Sat, 11 Sep 2021 08:58:58 +0800 (CST) Received: from dggpemm500004.china.huawei.com (7.185.36.219) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Sat, 11 Sep 2021 08:59:53 +0800 Received: from huawei.com (10.174.28.241) by dggpemm500004.china.huawei.com (7.185.36.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Sat, 11 Sep 2021 08:59:53 +0800 From: Bixuan Cui To: , CC: , , , , , , , Subject: [PATCH -next v2] bpf: Add oversize check before call kvcalloc() Date: Sat, 11 Sep 2021 08:55:57 +0800 Message-ID: <20210911005557.45518-1-cuibixuan@huawei.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.174.28.241] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm500004.china.huawei.com (7.185.36.219) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the oversize check. When the allocation is larger than what kmalloc() supports, the following warning triggered: WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597 Modules linked in: CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597 Call Trace: kvmalloc include/linux/mm.h:806 [inline] kvmalloc_array include/linux/mm.h:824 [inline] kvcalloc include/linux/mm.h:829 [inline] check_btf_line kernel/bpf/verifier.c:9925 [inline] check_btf_info kernel/bpf/verifier.c:10049 [inline] bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759 bpf_prog_load kernel/bpf/syscall.c:2301 [inline] __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com Signed-off-by: Bixuan Cui --- Chang in v2: * Change 'if (nr_linfo * sizeof(struct bpf_line_info) > INT_MAX)' to 'if (nr_lifo > INT_MAX / sizeof(struct bpf_line_info))'. kernel/bpf/verifier.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a0dd972d5b41..de006552be8a 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9912,6 +9912,8 @@ static int check_btf_line(struct bpf_verifier_env *env, nr_linfo = attr->line_info_cnt; if (!nr_linfo) return 0; + if (nr_linfo > INT_MAX / sizeof(struct bpf_line_info)) + return -EINVAL; rec_size = attr->line_info_rec_size; if (rec_size < MIN_BPF_LINEINFO_SIZE || -- 2.17.1