[PATCH openEuler-1.0-LTS 0/2] CVE-2024-26883

List overview All Threads
Download

newer

older

[PATCH OLK-6.6]...

Pu Lehui

7 May 2024 7 May '24

3:47 p.m.

Bui Quang Minh (1): bpf: Check for integer overflow when using roundup_pow_of_two()

Toke Høiland-Jørgensen (1): bpf: Fix stackmap overflow check on 32-bit arches

kernel/bpf/stackmap.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)

-- 2.34.1

Show replies by date

Pu Lehui

7 May 7 May

3:47 p.m.

New subject: [PATCH openEuler-1.0-LTS 1/2] bpf: Check for integer overflow when using roundup_pow_of_two()

From: Bui Quang Minh minhquangbui99@gmail.com

stable inclusion from stable-v4.19.177 commit 063c722dd9d285d877e6fd499e753d6224f4c046 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HKCB CVE: CVE-2024-26883

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit 6183f4d3a0a2ad230511987c6c362ca43ec0055f ]

On 32-bit architecture, roundup_pow_of_two() can return 0 when the argument has upper most bit set due to resulting 1UL << 32. Add a check for this case.

Fixes: d5a3b1f69186 ("bpf: introduce BPF_MAP_TYPE_STACK_TRACE") Signed-off-by: Bui Quang Minh minhquangbui99@gmail.com Signed-off-by: Daniel Borkmann daniel@iogearbox.net Link: https://lore.kernel.org/bpf/20210127063653.3576-1-minhquangbui99@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Pu Lehui pulehui@huawei.com --- kernel/bpf/stackmap.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c index f49cec211fe1..92310b07cb98 100644 --- a/kernel/bpf/stackmap.c +++ b/kernel/bpf/stackmap.c @@ -115,6 +115,8 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr)

/* hash table size must be power of 2 */ n_buckets = roundup_pow_of_two(attr->max_entries); + if (!n_buckets) + return ERR_PTR(-E2BIG);

cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap); if (cost >= U32_MAX - PAGE_SIZE)

-- 2.34.1

Pu Lehui

3:47 p.m.

New subject: [PATCH openEuler-1.0-LTS 2/2] bpf: Fix stackmap overflow check on 32-bit arches

From: Toke Høiland-Jørgensen toke@redhat.com

stable inclusion from stable-v4.19.311 commit d0e214acc59145ce25113f617311aa79dda39cb3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HKCB CVE: CVE-2024-26883

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit 7a4b21250bf79eef26543d35bd390448646c536b ]

The stackmap code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code.

The commit in the fixes tag actually attempted to fix this, but the fix did not account for the UB, so the fix only works on CPUs where an overflow does result in a neat truncation to zero, which is not guaranteed. Checking the value before rounding does not have this problem.

Fixes: 6183f4d3a0a2 ("bpf: Check for integer overflow when using roundup_pow_of_two()") Signed-off-by: Toke Høiland-Jørgensen toke@redhat.com Reviewed-by: Bui Quang Minh minhquangbui99@gmail.com Message-ID: 20240307120340.99577-4-toke@redhat.com Signed-off-by: Alexei Starovoitov ast@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Pu Lehui pulehui@huawei.com --- kernel/bpf/stackmap.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c index 92310b07cb98..a41858db1441 100644 --- a/kernel/bpf/stackmap.c +++ b/kernel/bpf/stackmap.c @@ -113,11 +113,14 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr) } else if (value_size / 8 > sysctl_perf_event_max_stack) return ERR_PTR(-EINVAL);

- /* hash table size must be power of 2 */ - n_buckets = roundup_pow_of_two(attr->max_entries); - if (!n_buckets) + /* hash table size must be power of 2; roundup_pow_of_two() can overflow + * into UB on 32-bit arches, so check that first + */ + if (attr->max_entries > 1UL << 31) return ERR_PTR(-E2BIG);

+ n_buckets = roundup_pow_of_two(attr->max_entries); + cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap); if (cost >= U32_MAX - PAGE_SIZE) return ERR_PTR(-E2BIG);

-- 2.34.1

patchwork bot

3:51 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/6858 邮件列表地址：https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/N...

FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/6858 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/N...

202

Age (days ago)

202

Last active (days ago)

kernel@openeuler.org

3 comments

2 participants

tags (0)

participants (2)

patchwork bot
Pu Lehui