Commit 24ea2839 authored Dec 02, 2024 by Daniel Borkmann Committed by Xiaomeng Zhang Dec 02, 2024

bpf: Remove truncation test in bpf_strtol and bpf_strtoul helpers

mainline inclusion
from mainline-v6.12-rc1
commit 7d71f59e028028f1160602121f40f45e89b3664e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQOP
CVE: CVE-2024-49861

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d71f59e0280



--------------------------------

Both bpf_strtol() and bpf_strtoul() helpers passed a temporary "long long"
respectively "unsigned long long" to __bpf_strtoll() / __bpf_strtoull().

Later, the result was checked for truncation via _res != ({unsigned,} long)_res
as the destination buffer for the BPF helpers was of type {unsigned,} long
which is 32bit on 32bit architectures.

Given the latter was a bug in the helper signatures where the destination buffer
got adjusted to {s,u}64, the truncation check can now be removed.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20240913191754.13290-2-daniel@iogearbox.net


Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13@huawei.com>

parent 1b57815d

kernel/bpf/helpers.c

+0 −4

Original line number	Diff line number	Diff line
		@@ -493,8 +493,6 @@ BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags,
		err = __bpf_strtoll(buf, buf_len, flags, &_res);
		if (err < 0)
		return err;
		if (_res != (long)_res)
		return -ERANGE;
		*res = _res;
		return err;
		}
		@@ -522,8 +520,6 @@ BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags,
		return err;
		if (is_negative)
		return -EINVAL;
		if (_res != (unsigned long)_res)
		return -ERANGE;
		*res = _res;
		return err;
		}