Commit 64176bff authored by Hou Tao's avatar Hou Tao Committed by Andrii Nakryiko
Browse files

libbpf: Handle size overflow for user ringbuf mmap 



Similar with the overflow problem on ringbuf mmap, in user_ringbuf_map()
2 * max_entries may overflow u32 when mapping writeable region.

Fixing it by casting the size of writable mmap region into a __u64 and
checking whether or not there will be overflow during mmap.

Fixes: b66ccae0 ("bpf: Add libbpf logic for user-space ring buffer")
Signed-off-by: default avatarHou Tao <houtao1@huawei.com>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20221116072351.1168938-4-houtao@huaweicloud.com
parent 927cbb47

tools/lib/bpf/ringbuf.c

+8 −2
Original line number Diff line number Diff line
@@ -352,6 +352,7 @@ static int user_ringbuf_map(struct user_ring_buffer *rb, int map_fd) 
{

	struct bpf_map_info info;

	__u32 len = sizeof(info);

	__u64 mmap_sz;

	void *tmp;

	struct epoll_event *rb_epoll;

	int err;
@@ -388,8 +389,13 @@ static int user_ringbuf_map(struct user_ring_buffer *rb, int map_fd) 
	 * simple reading and writing of samples that wrap around the end of

	 * the buffer.  See the kernel implementation for details.

	 */

	tmp = mmap(NULL, rb->page_size + 2 * info.max_entries,

		   PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, rb->page_size);

	mmap_sz = rb->page_size + 2 * (__u64)info.max_entries;

	if (mmap_sz != (__u64)(size_t)mmap_sz) {

		pr_warn("user ringbuf: ring buf size (%u) is too big\n", info.max_entries);

		return -E2BIG;

	}

	tmp = mmap(NULL, (size_t)mmap_sz, PROT_READ | PROT_WRITE, MAP_SHARED,

		   map_fd, rb->page_size);

	if (tmp == MAP_FAILED) {

		err = -errno;

		pr_warn("user ringbuf: failed to mmap data pages for map fd=%d: %d\n",