bpf: Fix hashtab overflow check on 32-bit arches
stable inclusion from stable-v4.19.311 commit 33ec04cadb77605b71d9298311919303d390c4d5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK6X CVE: CVE-2024-26884 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=33ec04cadb77 -------------------------------- [ Upstream commit 6787d916c2cf9850c97a0a3f73e08c43e7d973b1 ] The hashtab code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. So apply the same fix to hashtab, by moving the overflow check to before the roundup. Fixes: daaf427c ("bpf: fix arraymap NULL deref and missing overflow and zero size checks") Signed-off-by:Toke Høiland-Jørgensen <toke@redhat.com> Message-ID: <20240307120340.99577-3-toke@redhat.com> Signed-off-by:
Loading
Please sign in to comment