Unverified Commit b9f13a64 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!6858 CVE-2024-26883 

Merge Pull Request from: @ci-robot 
 
PR sync from: Pu Lehui <pulehui@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/NN47TBMOWG2XEWHYDUDX7IDNJW3LG7FH/ 
Bui Quang Minh (1):
  bpf: Check for integer overflow when using roundup_pow_of_two()

Toke Høiland-Jørgensen (1):
  bpf: Fix stackmap overflow check on 32-bit arches


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9HKCB 
 
Link:https://gitee.com/openeuler/kernel/pulls/6858

 

Reviewed-by: default avatarXu Kuohai <xukuohai@huawei.com>
Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents aed5f40a 473788b5

kernel/bpf/stackmap.c

+6 −1
Original line number Diff line number Diff line
@@ -113,7 +113,12 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr) 
	} else if (value_size / 8 > sysctl_perf_event_max_stack)

		return ERR_PTR(-EINVAL);



	/* hash table size must be power of 2 */

	/* hash table size must be power of 2; roundup_pow_of_two() can overflow

	 * into UB on 32-bit arches, so check that first

	 */

	if (attr->max_entries > 1UL << 31)

		return ERR_PTR(-E2BIG);



	n_buckets = roundup_pow_of_two(attr->max_entries);



	cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap);