Commit 8695a539 authored by John Fastabend's avatar John Fastabend Committed by David S. Miller
Browse files

bpf: devmap fix arithmetic overflow in bitmap_size calculation 



An integer overflow is possible in dev_map_bitmap_size() when
calculating the BITS_TO_LONG logic which becomes, after macro
replacement,

	(((n) + (d) - 1)/ (d))

where 'n' is a __u32 and 'd' is (8 * sizeof(long)). To avoid
overflow cast to u64 before arithmetic.

Reported-by: default avatarRichard Weinberger <richard@nod.at>
Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 43ebf97f

kernel/bpf/devmap.c

+1 −1
Original line number Diff line number Diff line
@@ -69,7 +69,7 @@ static LIST_HEAD(dev_map_list); 


static u64 dev_map_bitmap_size(const union bpf_attr *attr)

{

	return BITS_TO_LONGS(attr->max_entries) * sizeof(unsigned long);

	return BITS_TO_LONGS((u64) attr->max_entries) * sizeof(unsigned long);

}



static struct bpf_map *dev_map_alloc(union bpf_attr *attr)

CRA Git | Maintained and supported by SUSTech CRA and CCSE