mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/kernel/bpf
History
Toke Høiland-Jørgensen d0e214acc5 bpf: Fix stackmap overflow check on 32-bit arches 
[ Upstream commit 7a4b21250b ]

The stackmap code relies on roundup_pow_of_two() to compute the number
of hash buckets, and contains an overflow check by checking if the
resulting value is 0. However, on 32-bit arches, the roundup code itself
can overflow by doing a 32-bit left-shift of an unsigned long value,
which is undefined behaviour, so it is not guaranteed to truncate
neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
contains the same check, copied from the hashtab code.

The commit in the fixes tag actually attempted to fix this, but the fix
did not account for the UB, so the fix only works on CPUs where an
overflow does result in a neat truncation to zero, which is not
guaranteed. Checking the value before rounding does not have this
problem.

Fixes: 6183f4d3a0 ("bpf: Check for integer overflow when using roundup_pow_of_two()")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Bui Quang Minh <minhquangbui99@gmail.com>
Message-ID: <20240307120340.99577-4-toke@redhat.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-03-26 18:22:36 -04:00
..
Makefile bpf: silence warning messages in core 2019-07-26 09:14:06 +02:00
arraymap.c bpf: Add map and need_defer parameters to .map_fd_put_ptr() 2024-02-23 08:12:46 +01:00
bpf_lru_list.c bpf: Address KCSAN report on bpf_lru_list 2023-08-11 11:45:25 +02:00
bpf_lru_list.h bpf: Address KCSAN report on bpf_lru_list 2023-08-11 11:45:25 +02:00
btf.c bpf: btf: fix truncated last_member_type_id in btf_struct_resolve 2022-10-26 13:19:25 +02:00
cgroup.c
core.c bpf: Adjust insufficient default bpf_jit_limit 2023-04-05 11:15:34 +02:00
cpumap.c cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled 2020-05-02 17:25:53 +02:00
devmap.c bpf: devmap: fix wrong interface selection in notifier_call 2019-12-01 09:17:01 +01:00
disasm.c bpf: Introduce BPF nospec instruction for mitigating Spectre v4 2021-09-22 11:47:58 +02:00
disasm.h
hashtab.c bpf: Fix hashtab overflow check on 32-bit arches 2024-03-26 18:22:36 -04:00
helpers.c
inode.c bpf: Fix a rcu warning for bpffs map pretty-print 2020-10-01 13:14:52 +02:00
local_storage.c bpf: allocate local storage buffers using GFP_ATOMIC 2018-12-17 09:24:33 +01:00
lpm_trie.c bpf, lpm: Fix check prefixlen before walking trie 2024-01-25 14:33:33 -08:00
map_in_map.c bpf: Add map and need_defer parameters to .map_fd_put_ptr() 2024-02-23 08:12:46 +01:00
map_in_map.h bpf: Add map and need_defer parameters to .map_fd_put_ptr() 2024-02-23 08:12:46 +01:00
offload.c bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill 2020-02-28 16:38:59 +01:00
percpu_freelist.c bpf: fix lockdep false positive in percpu_freelist 2019-03-13 14:02:36 -07:00
percpu_freelist.h bpf: fix lockdep false positive in percpu_freelist 2019-03-13 14:02:36 -07:00
reuseport_array.c bpf: Introduce BPF_MAP_TYPE_REUSEPORT_SOCKARRAY 2018-08-11 01:58:46 +02:00
sockmap.c bpf: sockmap, fix transition through disconnect without close 2018-09-22 02:46:41 +02:00
stackmap.c bpf: Fix stackmap overflow check on 32-bit arches 2024-03-26 18:22:36 -04:00
syscall.c bpf: Ensure correct locking around vulnerable function find_vpid() 2022-10-26 13:19:25 +02:00
tnum.c bpf: Fix incorrect verifier simulation of ARSH under ALU32 2020-01-23 08:21:32 +01:00
verifier.c bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields 2023-05-30 12:42:14 +01:00
xskmap.c xsk: do not call synchronize_net() under RCU read lock 2018-10-11 10:19:01 +02:00