[PATCH openEuler-22.03-LTS-SP1] libbpf: Handle size overflow for ringbuf mmap - Kernel

29 Oct 2024

From: Hou Tao houtao1@huawei.com
stable inclusion
from stable-v5.10.158
commit 8a549ab6724520aa3c07f47e0eba820293551490
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRFE
CVE: CVE-2022-49030
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 927cbb478adf917e0a142b94baa37f06279cc466 ]
The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries
will overflow u32 when mapping producer page and data pages. Only
casting max_entries to size_t is not enough, because for 32-bits
application on 64-bits kernel the size of read-only mmap region
also could overflow size_t.
So fixing it by casting the size of read-only mmap region into a __u64
and checking whether or not there will be overflow during mmap.
Fixes: bf99c936f947 ("libbpf: Add BPF ring buffer support")
Signed-off-by: Hou Tao houtao1@huawei.com
Signed-off-by: Andrii Nakryiko andrii@kernel.org
Link: https://lore.kernel.org/bpf/20221116072351.1168938-3-houtao@huaweicloud.com
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Pu Lehui pulehui@huawei.com
---
 tools/lib/bpf/ringbuf.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/tools/lib/bpf/ringbuf.c b/tools/lib/bpf/ringbuf.c
index 86c31c787fb9..5e242be45206 100644
--- a/tools/lib/bpf/ringbuf.c
+++ b/tools/lib/bpf/ringbuf.c
@@ -59,6 +59,7 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd,
    __u32 len = sizeof(info);
    struct epoll_event *e;
    struct ring *r;
+	__u64 mmap_sz;
    void *tmp;
    int err;
@@ -97,8 +98,7 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd,
    r->mask = info.max_entries - 1;
/* Map writable consumer page */
-	tmp = mmap(NULL, rb->page_size, PROT_READ | PROT_WRITE, MAP_SHARED,
-		   map_fd, 0);
+	tmp = mmap(NULL, rb->page_size, PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, 0);
    if (tmp == MAP_FAILED) {
    	err = -errno;
    	pr_warn("ringbuf: failed to mmap consumer page for map fd=%d: %d\n",
@@ -111,8 +111,12 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd,
     * data size to allow simple reading of samples that wrap around the
     * end of a ring buffer. See kernel implementation for details.
     * */
-	tmp = mmap(NULL, rb->page_size + 2 * info.max_entries, PROT_READ,
-		   MAP_SHARED, map_fd, rb->page_size);
+	mmap_sz = rb->page_size + 2 * (__u64)info.max_entries;
+	if (mmap_sz != (__u64)(size_t)mmap_sz) {
+		pr_warn("ringbuf: ring buffer size (%u) is too big\n", info.max_entries);
+		return -E2BIG;
+	}
+	tmp = mmap(NULL, (size_t)mmap_sz, PROT_READ, MAP_SHARED, map_fd, rb->page_size);
    if (tmp == MAP_FAILED) {
    	err = -errno;
    	ringbuf_unmap_ring(rb, r);
-- 
2.34.1


    