Commit bbeb6e43 authored Jan 10, 2018 by Daniel Borkmann Committed by Alexei Starovoitov Jan 10, 2018

bpf, array: fix overflow in max_entries and undefined behavior in index_mask

syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
and thus unprivileged. With the recently added logic in b2157399
("bpf: prevent out-of-bounds speculation") we round this up to the next
power of two value for max_entries for unprivileged such that we can
apply proper masking into potentially zeroed out map slots.

However, this will generate an index_mask of 0xffffffff, and therefore
a + 1 will let this overflow into new max_entries of 0. This will pass
allocation, etc, and later on map access we still enforce on the original
attr->max_entries value which was 0xfffffffd, therefore triggering GPF
all over the place. Thus bail out on overflow in such case.

Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
space is undefined. Therefore, do this by hand in a 64 bit variable.

This fixes all the issues triggered by syzkaller's reproducers.

Fixes: b2157399 ("bpf: prevent out-of-bounds speculation")
Reported-by: <syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com>
Reported-by: <syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com>
Reported-by: <syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com>
Reported-by: <syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com>
Reported-by: <syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

parent 7891a87e

kernel/bpf/arraymap.c

+15 −3

Original line number	Diff line number	Diff line
		@@ -56,7 +56,7 @@ static struct bpf_map array_map_alloc(union bpf_attr attr)
		u32 elem_size, index_mask, max_entries;
		bool unpriv = !capable(CAP_SYS_ADMIN);
		struct bpf_array *array;
		u64 array_size;
		u64 array_size, mask64;

		/* check sanity of attributes */
		if (attr->max_entries == 0 \|\| attr->key_size != 4 \|\|
		@@ -74,13 +74,25 @@ static struct bpf_map array_map_alloc(union bpf_attr attr)
		elem_size = round_up(attr->value_size, 8);

		max_entries = attr->max_entries;
		index_mask = roundup_pow_of_two(max_entries) - 1;

		if (unpriv)
		/* On 32 bit archs roundup_pow_of_two() with max_entries that has
		* upper most bit set in u32 space is undefined behavior due to
		* resulting 1U << 32, so do it manually here in u64 space.
		*/
		mask64 = fls_long(max_entries - 1);
		mask64 = 1ULL << mask64;
		mask64 -= 1;

		index_mask = mask64;
		if (unpriv) {
		/* round up array size to nearest power of 2,
		* since cpu will speculate within index_mask limits
		*/
		max_entries = index_mask + 1;
		/* Check for overflows. */
		if (max_entries < attr->max_entries)
		return ERR_PTR(-E2BIG);
		}

		array_size = sizeof(*array);
		if (percpu)

Admin message