From: "Toke Høiland-Jørgensen" <toke@redhat.com>
To: Bui Quang Minh <minhquangbui99@gmail.com>,
Song Liu <song@kernel.org>, Jiri Olsa <jolsa@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf v3 3/3] bpf: Fix stackmap overflow check on 32-bit arches
Date: Thu, 07 Mar 2024 17:52:36 +0100 [thread overview]
Message-ID: <87edcmrnl7.fsf@toke.dk> (raw)
In-Reply-To: <549972cd-15e6-4520-a99b-c70c1ed455e5@gmail.com>
Bui Quang Minh <minhquangbui99@gmail.com> writes:
> On 3/7/24 19:03, Toke Høiland-Jørgensen wrote:
>> The stackmap code relies on roundup_pow_of_two() to compute the number
>> of hash buckets, and contains an overflow check by checking if the
>> resulting value is 0. However, on 32-bit arches, the roundup code itself
>> can overflow by doing a 32-bit left-shift of an unsigned long value,
>> which is undefined behaviour, so it is not guaranteed to truncate
>> neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
>> contains the same check, copied from the hashtab code.
>>
>> The commit in the fixes tag actually attempted to fix this, but the fix
>> did not account for the UB, so the fix only works on CPUs where an
>> overflow does result in a neat truncation to zero, which is not
>> guaranteed. Checking the value before rounding does not have this
>> problem.
>>
>> Fixes: 6183f4d3a0a2 ("bpf: Check for integer overflow when using roundup_pow_of_two()")
>> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
>> ---
>> kernel/bpf/stackmap.c | 9 ++++++---
>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
>> index dff7ba539701..c99f8e5234ac 100644
>> --- a/kernel/bpf/stackmap.c
>> +++ b/kernel/bpf/stackmap.c
>> @@ -91,11 +91,14 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr)
>> } else if (value_size / 8 > sysctl_perf_event_max_stack)
>> return ERR_PTR(-EINVAL);
>>
>> - /* hash table size must be power of 2 */
>> - n_buckets = roundup_pow_of_two(attr->max_entries);
>> - if (!n_buckets)
>> + /* hash table size must be power of 2; roundup_pow_of_two() can overflow
>> + * into UB on 32-bit arches, so check that first
>> + */
>> + if (attr->max_entries > 1UL << 31)
>> return ERR_PTR(-E2BIG);
>>
>> + n_buckets = roundup_pow_of_two(attr->max_entries);
>> +
>> cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap);
>> smap = bpf_map_area_alloc(cost, bpf_map_attr_numa_node(attr));
>> if (!smap)
>
> Reviewed-by: Bui Quang Minh <minhquangbui99@gmail.com>
>
> Today I learned to be more careful with UB in C.
Haha, yeah, I was surprised about this one as well; UB is nasty! :)
-Toke
next prev parent reply other threads:[~2024-03-07 16:52 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 12:03 [PATCH bpf v3 0/3] Fix hash bucket overflow checks for 32-bit arches Toke Høiland-Jørgensen
2024-03-07 12:03 ` [PATCH bpf v3 1/3] bpf: Fix DEVMAP_HASH overflow check on " Toke Høiland-Jørgensen
2024-03-07 12:03 ` [PATCH bpf v3 2/3] bpf: Fix hashtab " Toke Høiland-Jørgensen
2024-03-08 4:09 ` Alexei Starovoitov
2024-03-11 10:58 ` Toke Høiland-Jørgensen
2024-03-07 12:03 ` [PATCH bpf v3 3/3] bpf: Fix stackmap " Toke Høiland-Jørgensen
2024-03-07 15:55 ` Bui Quang Minh
2024-03-07 16:52 ` Toke Høiland-Jørgensen [this message]
2024-03-08 4:10 ` [PATCH bpf v3 0/3] Fix hash bucket overflow checks for " patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87edcmrnl7.fsf@toke.dk \
--to=toke@redhat.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=martin.lau@linux.dev \
--cc=minhquangbui99@gmail.com \
--cc=sdf@google.com \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox