| Message ID | 20210913110246.2955737-1-mudongliangabcd@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | BPF |
| Headers | show |
| Series | bpf: fix kmalloc bug in bpf_check | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Not a local patch |
| bpf/vmtest-bpf-PR | success | PR summary |
| bpf/vmtest-bpf | success | VM_Test |
| bpf/vmtest-bpf-next | fail | VM_Test |
| bpf/vmtest-bpf-next-PR | fail | PR summary |
On 9/13/21 4:02 AM, Dongliang Mu wrote: > Since 7661809d493b ("mm: don't allow oversized kvmalloc() calls > ") does not allow oversized kvmalloc, it triggers a kmalloc bug warning > at bpf_check. > > Fix it by adding a sanity check in th check_btf_line. > > Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com > Fixes: 7661809d493b ("mm: don't allow oversized kvmalloc() calls") > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Thanks for the fix. A similar patch has been proposed here: https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com/ > --- > kernel/bpf/verifier.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 047ac4b4703b..3c5a79f78bc5 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -9913,6 +9913,9 @@ static int check_btf_line(struct bpf_verifier_env *env, > if (!nr_linfo) > return 0; > > + if (nr_linfo > INT_MAX/sizeof(struct bpf_line_info)) > + return -EINVAL; > + > rec_size = attr->line_info_rec_size; > if (rec_size < MIN_BPF_LINEINFO_SIZE || > rec_size > MAX_LINEINFO_REC_SIZE || >
On Mon, Sep 13, 2021 at 11:34 PM Yonghong Song <yhs@fb.com> wrote: > > > > On 9/13/21 4:02 AM, Dongliang Mu wrote: > > Since 7661809d493b ("mm: don't allow oversized kvmalloc() calls > > ") does not allow oversized kvmalloc, it triggers a kmalloc bug warning > > at bpf_check. > > > > Fix it by adding a sanity check in th check_btf_line. > > > > Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com > > Fixes: 7661809d493b ("mm: don't allow oversized kvmalloc() calls") > > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > > Thanks for the fix. A similar patch has been proposed here: > https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com/ OK, I see. Let's ignore this patch. > > > --- > > kernel/bpf/verifier.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > index 047ac4b4703b..3c5a79f78bc5 100644 > > --- a/kernel/bpf/verifier.c > > +++ b/kernel/bpf/verifier.c > > @@ -9913,6 +9913,9 @@ static int check_btf_line(struct bpf_verifier_env *env, > > if (!nr_linfo) > > return 0; > > > > + if (nr_linfo > INT_MAX/sizeof(struct bpf_line_info)) > > + return -EINVAL; > > + > > rec_size = attr->line_info_rec_size; > > if (rec_size < MIN_BPF_LINEINFO_SIZE || > > rec_size > MAX_LINEINFO_REC_SIZE || > >
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 047ac4b4703b..3c5a79f78bc5 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9913,6 +9913,9 @@ static int check_btf_line(struct bpf_verifier_env *env, if (!nr_linfo) return 0; + if (nr_linfo > INT_MAX/sizeof(struct bpf_line_info)) + return -EINVAL; + rec_size = attr->line_info_rec_size; if (rec_size < MIN_BPF_LINEINFO_SIZE || rec_size > MAX_LINEINFO_REC_SIZE ||
Since 7661809d493b ("mm: don't allow oversized kvmalloc() calls ") does not allow oversized kvmalloc, it triggers a kmalloc bug warning at bpf_check. Fix it by adding a sanity check in th check_btf_line. Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com Fixes: 7661809d493b ("mm: don't allow oversized kvmalloc() calls") Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> --- kernel/bpf/verifier.c | 3 +++ 1 file changed, 3 insertions(+)