From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E5A371753; Sun, 7 Apr 2024 13:12:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712495536; cv=none; b=HdSTg2o+okXP4WKHyUubjmX4Lyi/YrXEBMK4LcIcIZq7IHDJ3Z7D6g/KkJu4XU0Pa8vOxm8VAdakXVs6xpm1mjK1RUIavcr9uyvYsOhRXK3R54cdBU/3vxrrILM1yDJoJzLsNFufoGcmNH506OHpUCmwCexvKOxJi59T1vg0Zzs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712495536; c=relaxed/simple; bh=+JJRPG8HCYkd3ToZtORyTAyJGiVFqfS3te+4P03Lq3U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PqcuFqSfdVEm96MCGjsXa7gk2qqJWCFFLd1iJ9MPXrAXL0Hrh3TxqaLAainoJEmaao3Kt6+C03/EXdKo1qvlJ9g5B6+JVEVgGBlMXZWskf63vpL/7P59AJxz6HarS5f1Da0n39MuKffo08CLLcCKyPYzf+lbP2sMv4oYclyeQdE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=qjY7aMvR; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qjY7aMvR" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0A2A8C433C7; Sun, 7 Apr 2024 13:12:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712495536; bh=+JJRPG8HCYkd3ToZtORyTAyJGiVFqfS3te+4P03Lq3U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qjY7aMvRjHUdkyHkM5iNakjv1+7Nn7u9hW/5p6Quo9AkB3loSABF9jrqgrw3bY5mZ JH9oUYzWwLCX7ig+HrsXQEAnBP5Kb1aPpFNqOOBmk1J5reaq7vEqqK1IVEA2v6IIRM uPP9SyhrgIb7L0r1d6yqCOeY4xFSQXomC309wvb42l+AT53SQ5EzarCKsg6KLrZLYk VJx45td4aUhzZ5gY7o5LXoWAtjsY3cDAHo7sL/Na2YLzZvXOTHtUKrcPj2m2+m3J/i 65afpserlzclRmN/rrEG6dtvg0r9AW5DFlajnW0AwAgaQV/lLfXah+c+ifFSaR0Syc 1LJ1Eb8xJEiFg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Andrei Matei , Andrii Nakryiko , Alexei Starovoitov , Sasha Levin , daniel@iogearbox.net, shuah@kernel.org, jolsa@kernel.org, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [PATCH AUTOSEL 6.8 23/25] bpf: Check bloom filter map value size Date: Sun, 7 Apr 2024 09:11:11 -0400 Message-ID: <20240407131130.1050321-23-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240407131130.1050321-1-sashal@kernel.org> References: <20240407131130.1050321-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.8.4 Content-Transfer-Encoding: 8bit From: Andrei Matei [ Upstream commit a8d89feba7e54e691ca7c4efc2a6264fa83f3687 ] This patch adds a missing check to bloom filter creating, rejecting values above KMALLOC_MAX_SIZE. This brings the bloom map in line with many other map types. The lack of this protection can cause kernel crashes for value sizes that overflow int's. Such a crash was caught by syzkaller. The next patch adds more guard-rails at a lower level. Signed-off-by: Andrei Matei Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20240327024245.318299-2-andreimatei1@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin --- kernel/bpf/bloom_filter.c | 13 +++++++++++++ .../selftests/bpf/prog_tests/bloom_filter_map.c | 6 ++++++ 2 files changed, 19 insertions(+) diff --git a/kernel/bpf/bloom_filter.c b/kernel/bpf/bloom_filter.c index addf3dd57b59b..35e1ddca74d21 100644 --- a/kernel/bpf/bloom_filter.c +++ b/kernel/bpf/bloom_filter.c @@ -80,6 +80,18 @@ static int bloom_map_get_next_key(struct bpf_map *map, void *key, void *next_key return -EOPNOTSUPP; } +/* Called from syscall */ +static int bloom_map_alloc_check(union bpf_attr *attr) +{ + if (attr->value_size > KMALLOC_MAX_SIZE) + /* if value_size is bigger, the user space won't be able to + * access the elements. + */ + return -E2BIG; + + return 0; +} + static struct bpf_map *bloom_map_alloc(union bpf_attr *attr) { u32 bitset_bytes, bitset_mask, nr_hash_funcs, nr_bits; @@ -191,6 +203,7 @@ static u64 bloom_map_mem_usage(const struct bpf_map *map) BTF_ID_LIST_SINGLE(bpf_bloom_map_btf_ids, struct, bpf_bloom_filter) const struct bpf_map_ops bloom_filter_map_ops = { .map_meta_equal = bpf_map_meta_equal, + .map_alloc_check = bloom_map_alloc_check, .map_alloc = bloom_map_alloc, .map_free = bloom_map_free, .map_get_next_key = bloom_map_get_next_key, diff --git a/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c b/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c index 053f4d6da77a4..cc184e4420f6e 100644 --- a/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c +++ b/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c @@ -2,6 +2,7 @@ /* Copyright (c) 2021 Facebook */ #include +#include #include #include "bloom_filter_map.skel.h" @@ -21,6 +22,11 @@ static void test_fail_cases(void) if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid value size 0")) close(fd); + /* Invalid value size: too big */ + fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, INT32_MAX, 100, NULL); + if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid value too large")) + close(fd); + /* Invalid max entries size */ fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, sizeof(value), 0, NULL); if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid max entries size")) -- 2.43.0