bpf: fix integer overflow in queue_stack_map

Fix the following issues:

- allow queue_stack_map for root only
- fix u32 max_entries overflow
- disallow value_size == 0

Fixes: f1a2e44a3a ("bpf: add queue and stack maps")
Reported-by: Wei Wu <ww9210@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Cc: Mauricio Vasquez B <mauricio.vasquez@polito.it>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
This commit is contained in:
Alexei Starovoitov 2018-11-22 10:49:56 -08:00 committed by Daniel Borkmann
parent dde7011a82
commit 813961de3e

View File

@ -7,6 +7,7 @@
#include <linux/bpf.h> #include <linux/bpf.h>
#include <linux/list.h> #include <linux/list.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/capability.h>
#include "percpu_freelist.h" #include "percpu_freelist.h"
#define QUEUE_STACK_CREATE_FLAG_MASK \ #define QUEUE_STACK_CREATE_FLAG_MASK \
@ -45,8 +46,12 @@ static bool queue_stack_map_is_full(struct bpf_queue_stack *qs)
/* Called from syscall */ /* Called from syscall */
static int queue_stack_map_alloc_check(union bpf_attr *attr) static int queue_stack_map_alloc_check(union bpf_attr *attr)
{ {
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
/* check sanity of attributes */ /* check sanity of attributes */
if (attr->max_entries == 0 || attr->key_size != 0 || if (attr->max_entries == 0 || attr->key_size != 0 ||
attr->value_size == 0 ||
attr->map_flags & ~QUEUE_STACK_CREATE_FLAG_MASK) attr->map_flags & ~QUEUE_STACK_CREATE_FLAG_MASK)
return -EINVAL; return -EINVAL;
@ -63,15 +68,10 @@ static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr)
{ {
int ret, numa_node = bpf_map_attr_numa_node(attr); int ret, numa_node = bpf_map_attr_numa_node(attr);
struct bpf_queue_stack *qs; struct bpf_queue_stack *qs;
u32 size, value_size; u64 size, queue_size, cost;
u64 queue_size, cost;
size = attr->max_entries + 1; size = (u64) attr->max_entries + 1;
value_size = attr->value_size; cost = queue_size = sizeof(*qs) + size * attr->value_size;
queue_size = sizeof(*qs) + (u64) value_size * size;
cost = queue_size;
if (cost >= U32_MAX - PAGE_SIZE) if (cost >= U32_MAX - PAGE_SIZE)
return ERR_PTR(-E2BIG); return ERR_PTR(-E2BIG);