Commit 05443cdb authored by Toke Høiland-Jørgensen's avatar Toke Høiland-Jørgensen Committed by Pu Lehui
Browse files

bpf: Fix hashtab overflow check on 32-bit arches 

stable inclusion
from stable-v4.19.311
commit 33ec04cadb77605b71d9298311919303d390c4d5
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK6X
CVE: CVE-2024-26884

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=33ec04cadb77



--------------------------------

[ Upstream commit 6787d916c2cf9850c97a0a3f73e08c43e7d973b1 ]

The hashtab code relies on roundup_pow_of_two() to compute the number of
hash buckets, and contains an overflow check by checking if the
resulting value is 0. However, on 32-bit arches, the roundup code itself
can overflow by doing a 32-bit left-shift of an unsigned long value,
which is undefined behaviour, so it is not guaranteed to truncate
neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
contains the same check, copied from the hashtab code. So apply the same
fix to hashtab, by moving the overflow check to before the roundup.

Fixes: daaf427c ("bpf: fix arraymap NULL deref and missing overflow and zero size checks")
Signed-off-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
Message-ID: <20240307120340.99577-3-toke@redhat.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarPu Lehui <pulehui@huawei.com>
parent aaa8e73e

kernel/bpf/hashtab.c

+9 −5
Original line number Diff line number Diff line
@@ -330,7 +330,13 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr) 
							  num_possible_cpus());

	}



	/* hash table size must be power of 2 */

	/* hash table size must be power of 2; roundup_pow_of_two() can overflow

	 * into UB on 32-bit arches, so check that first

	 */

	err = -E2BIG;

	if (htab->map.max_entries > 1UL << 31)

		goto free_htab;



	htab->n_buckets = roundup_pow_of_two(htab->map.max_entries);



	htab->elem_size = sizeof(struct htab_elem) +
@@ -340,10 +346,8 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr) 
	else

		htab->elem_size += round_up(htab->map.value_size, 8);



	err = -E2BIG;

	/* prevent zero size kmalloc and check for u32 overflow */

	if (htab->n_buckets == 0 ||

	    htab->n_buckets > U32_MAX / sizeof(struct bucket))

	/* check for u32 overflow */

	if (htab->n_buckets > U32_MAX / sizeof(struct bucket))

		goto free_htab;



	cost = (u64) htab->n_buckets * sizeof(struct bucket) +