From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Andrei Matei <andreimatei1@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Sasha Levin <sashal@kernel.org>,
daniel@iogearbox.net, shuah@kernel.org, jolsa@kernel.org,
bpf@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 20/22] bpf: Check bloom filter map value size
Date: Sun, 7 Apr 2024 09:12:19 -0400 [thread overview]
Message-ID: <20240407131231.1051652-20-sashal@kernel.org> (raw)
In-Reply-To: <20240407131231.1051652-1-sashal@kernel.org>
From: Andrei Matei <andreimatei1@gmail.com>
[ Upstream commit a8d89feba7e54e691ca7c4efc2a6264fa83f3687 ]
This patch adds a missing check to bloom filter creating, rejecting
values above KMALLOC_MAX_SIZE. This brings the bloom map in line with
many other map types.
The lack of this protection can cause kernel crashes for value sizes
that overflow int's. Such a crash was caught by syzkaller. The next
patch adds more guard-rails at a lower level.
Signed-off-by: Andrei Matei <andreimatei1@gmail.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20240327024245.318299-2-andreimatei1@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/bloom_filter.c | 13 +++++++++++++
.../selftests/bpf/prog_tests/bloom_filter_map.c | 6 ++++++
2 files changed, 19 insertions(+)
diff --git a/kernel/bpf/bloom_filter.c b/kernel/bpf/bloom_filter.c
index addf3dd57b59b..35e1ddca74d21 100644
--- a/kernel/bpf/bloom_filter.c
+++ b/kernel/bpf/bloom_filter.c
@@ -80,6 +80,18 @@ static int bloom_map_get_next_key(struct bpf_map *map, void *key, void *next_key
return -EOPNOTSUPP;
}
+/* Called from syscall */
+static int bloom_map_alloc_check(union bpf_attr *attr)
+{
+ if (attr->value_size > KMALLOC_MAX_SIZE)
+ /* if value_size is bigger, the user space won't be able to
+ * access the elements.
+ */
+ return -E2BIG;
+
+ return 0;
+}
+
static struct bpf_map *bloom_map_alloc(union bpf_attr *attr)
{
u32 bitset_bytes, bitset_mask, nr_hash_funcs, nr_bits;
@@ -191,6 +203,7 @@ static u64 bloom_map_mem_usage(const struct bpf_map *map)
BTF_ID_LIST_SINGLE(bpf_bloom_map_btf_ids, struct, bpf_bloom_filter)
const struct bpf_map_ops bloom_filter_map_ops = {
.map_meta_equal = bpf_map_meta_equal,
+ .map_alloc_check = bloom_map_alloc_check,
.map_alloc = bloom_map_alloc,
.map_free = bloom_map_free,
.map_get_next_key = bloom_map_get_next_key,
diff --git a/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c b/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c
index d2d9e965eba59..f79815b7e951b 100644
--- a/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c
+++ b/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c
@@ -2,6 +2,7 @@
/* Copyright (c) 2021 Facebook */
#include <sys/syscall.h>
+#include <limits.h>
#include <test_progs.h>
#include "bloom_filter_map.skel.h"
@@ -21,6 +22,11 @@ static void test_fail_cases(void)
if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid value size 0"))
close(fd);
+ /* Invalid value size: too big */
+ fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, INT32_MAX, 100, NULL);
+ if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid value too large"))
+ close(fd);
+
/* Invalid max entries size */
fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, sizeof(value), 0, NULL);
if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid max entries size"))
--
2.43.0
next prev parent reply other threads:[~2024-04-07 13:13 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-07 13:12 [PATCH AUTOSEL 6.6 01/22] scsi: ufs: core: Fix MCQ MAC configuration Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 02/22] scsi: lpfc: Move NPIV's transport unregistration to after resource clean up Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 03/22] scsi: lpfc: Remove IRQF_ONESHOT flag from threaded IRQ handling Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 04/22] scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 05/22] scsi: lpfc: Replace hbalock with ndlp lock in lpfc_nvme_unregister_port() Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 06/22] scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 07/22] scsi: lpfc: Use a dedicated lock for ras_fwlog state Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 08/22] gfs2: Fix invalid metadata access in punch_hole Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 09/22] wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 10/22] wifi: cfg80211: fix rdev_dump_mpp() arguments order Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 11/22] wifi: mac80211: fix prep_connection error path Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 12/22] wifi: iwlwifi: read txq->read_ptr under lock Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 13/22] wifi: iwlwifi: mvm: guard against invalid STA ID on removal Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 14/22] net: mark racy access on sk->sk_rcvbuf Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 15/22] scsi: mpi3mr: Avoid memcpy field-spanning write WARNING Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 16/22] scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 17/22] btrfs: return accurate error code on open failure in open_fs_devices() Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 18/22] drm/amdkfd: Check cgroup when returning DMABuf info Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 19/22] drm/amdkfd: range check cp bad op exception interrupts Sasha Levin
2024-04-07 13:12 ` Sasha Levin [this message]
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 21/22] selftests/ftrace: Fix event filter target_func selection Sasha Levin
2024-04-07 13:12 ` [PATCH AUTOSEL 6.6 22/22] kbuild: Disable KCSAN for autogenerated *.mod.c intermediaries Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240407131231.1051652-20-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andreimatei1@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox