Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-04 04:06:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
33ec04cadb
linux-stable/kernel/bpf
History
Toke Høiland-Jørgensen 33ec04cadb bpf: Fix hashtab overflow check on 32-bit arches 
[ Upstream commit 6787d916c2 ]

The hashtab code relies on roundup_pow_of_two() to compute the number of
hash buckets, and contains an overflow check by checking if the
resulting value is 0. However, on 32-bit arches, the roundup code itself
can overflow by doing a 32-bit left-shift of an unsigned long value,
which is undefined behaviour, so it is not guaranteed to truncate
neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
contains the same check, copied from the hashtab code. So apply the same
fix to hashtab, by moving the overflow check to before the roundup.

Fixes: daaf427c6a ("bpf: fix arraymap NULL deref and missing overflow and zero size checks")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Message-ID: <20240307120340.99577-3-toke@redhat.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-03-26 18:22:36 -04:00
..
arraymap.c bpf: Add map and need_defer parameters to .map_fd_put_ptr() 2024-02-23 08:12:46 +01:00
bpf_lru_list.c bpf: Address KCSAN report on bpf_lru_list 2023-08-11 11:45:25 +02:00
bpf_lru_list.h bpf: Address KCSAN report on bpf_lru_list 2023-08-11 11:45:25 +02:00
btf.c bpf: btf: fix truncated last_member_type_id in btf_struct_resolve 2022-10-26 13:19:25 +02:00
cgroup.c bpf: introduce update_effective_progs() 2018-08-07 14:29:55 +02:00
core.c bpf: Adjust insufficient default bpf_jit_limit 2023-04-05 11:15:34 +02:00
cpumap.c cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled 2020-05-02 17:25:53 +02:00
devmap.c bpf: devmap: fix wrong interface selection in notifier_call 2019-12-01 09:17:01 +01:00
disasm.c bpf: Introduce BPF nospec instruction for mitigating Spectre v4 2021-09-22 11:47:58 +02:00
disasm.h bpf: Remove struct bpf_verifier_env argument from print_bpf_insn 2018-03-23 17:38:57 +01:00
hashtab.c bpf: Fix hashtab overflow check on 32-bit arches 2024-03-26 18:22:36 -04:00
helpers.c bpf: introduce the bpf_get_local_storage() helper function 2018-08-03 00:47:32 +02:00
inode.c bpf: Fix a rcu warning for bpffs map pretty-print 2020-10-01 13:14:52 +02:00
local_storage.c bpf: allocate local storage buffers using GFP_ATOMIC 2018-12-17 09:24:33 +01:00
lpm_trie.c bpf, lpm: Fix check prefixlen before walking trie 2024-01-25 14:33:33 -08:00
Makefile bpf: silence warning messages in core 2019-07-26 09:14:06 +02:00
map_in_map.c bpf: Add map and need_defer parameters to .map_fd_put_ptr() 2024-02-23 08:12:46 +01:00
map_in_map.h bpf: Add map and need_defer parameters to .map_fd_put_ptr() 2024-02-23 08:12:46 +01:00
offload.c bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill 2020-02-28 16:38:59 +01:00
percpu_freelist.c bpf: fix lockdep false positive in percpu_freelist 2019-03-13 14:02:36 -07:00
percpu_freelist.h bpf: fix lockdep false positive in percpu_freelist 2019-03-13 14:02:36 -07:00
reuseport_array.c bpf: Introduce BPF_MAP_TYPE_REUSEPORT_SOCKARRAY 2018-08-11 01:58:46 +02:00
sockmap.c bpf: sockmap, fix transition through disconnect without close 2018-09-22 02:46:41 +02:00
stackmap.c bpf: Fix integer overflow in prealloc_elems_and_freelist() 2021-10-13 10:10:51 +02:00
syscall.c bpf: Ensure correct locking around vulnerable function find_vpid() 2022-10-26 13:19:25 +02:00
tnum.c bpf: Fix incorrect verifier simulation of ARSH under ALU32 2020-01-23 08:21:32 +01:00
verifier.c bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields 2023-05-30 12:42:14 +01:00
xskmap.c xsk: do not call synchronize_net() under RCU read lock 2018-10-11 10:19:01 +02:00