From nobody Mon Sep 29 22:46:25 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48A1FC3F6B0 for ; Tue, 16 Aug 2022 00:04:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356618AbiHPACk (ORCPT ); Mon, 15 Aug 2022 20:02:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60860 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356578AbiHOXyo (ORCPT ); Mon, 15 Aug 2022 19:54:44 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FAD91617F5; Mon, 15 Aug 2022 13:19:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8AC06B81181; Mon, 15 Aug 2022 20:19:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D148CC433D6; Mon, 15 Aug 2022 20:19:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660594771; bh=4RHd20ascr7WjRRQ03cxtX2b/qudhSpb5JatRmaVYo8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aJT+08Qp+h24lU+qt4JiweGozDOheYGALarPpLg1SlQ8TQZyIzogOeEUM5cbrS/LU jHUoqwXXs9kBWiWuPD/KXf4Yjo9l9DQEtFsXqA+hkowLb67rLVVSWCjhcUZUtZhj3c HcC1fDNjgebzEv+2bTTleEs6Vnp7W6SSaYo8oe/o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrii Nakryiko , Alexei Starovoitov , Sasha Levin Subject: [PATCH 5.19 0512/1157] bpf: fix potential 32-bit overflow when accessing ARRAY map element Date: Mon, 15 Aug 2022 19:57:48 +0200 Message-Id: <20220815180500.176226318@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180439.416659447@linuxfoundation.org> References: <20220815180439.416659447@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Andrii Nakryiko [ Upstream commit 87ac0d600943994444e24382a87aa19acc4cd3d4 ] If BPF array map is bigger than 4GB, element pointer calculation can overflow because both index and elem_size are u32. Fix this everywhere by forcing 64-bit multiplication. Extract this formula into separate small helper and use it consistently in various places. Speculative-preventing formula utilizing index_mask trick is left as is, but explicit u64 casts are added in both places. Fixes: c85d69135a91 ("bpf: move memory size checks to bpf_map_charge_init()= ") Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20220715053146.1291891-2-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin --- kernel/bpf/arraymap.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c index fe40d3b9458f..1d05d63e6fa5 100644 --- a/kernel/bpf/arraymap.c +++ b/kernel/bpf/arraymap.c @@ -156,6 +156,11 @@ static struct bpf_map *array_map_alloc(union bpf_attr = *attr) return &array->map; } =20 +static void *array_map_elem_ptr(struct bpf_array* array, u32 index) +{ + return array->value + (u64)array->elem_size * index; +} + /* Called from syscall or from eBPF program */ static void *array_map_lookup_elem(struct bpf_map *map, void *key) { @@ -165,7 +170,7 @@ static void *array_map_lookup_elem(struct bpf_map *map,= void *key) if (unlikely(index >=3D array->map.max_entries)) return NULL; =20 - return array->value + array->elem_size * (index & array->index_mask); + return array->value + (u64)array->elem_size * (index & array->index_mask); } =20 static int array_map_direct_value_addr(const struct bpf_map *map, u64 *imm, @@ -339,7 +344,7 @@ static int array_map_update_elem(struct bpf_map *map, v= oid *key, void *value, value, map->value_size); } else { val =3D array->value + - array->elem_size * (index & array->index_mask); + (u64)array->elem_size * (index & array->index_mask); if (map_flags & BPF_F_LOCK) copy_map_value_locked(map, val, value, false); else @@ -408,8 +413,7 @@ static void array_map_free_timers(struct bpf_map *map) return; =20 for (i =3D 0; i < array->map.max_entries; i++) - bpf_timer_cancel_and_free(array->value + array->elem_size * i + - map->timer_off); + bpf_timer_cancel_and_free(array_map_elem_ptr(array, i) + map->timer_off); } =20 /* Called when map->refcnt goes to zero, either from workqueue or from sys= call */ @@ -420,7 +424,7 @@ static void array_map_free(struct bpf_map *map) =20 if (map_value_has_kptrs(map)) { for (i =3D 0; i < array->map.max_entries; i++) - bpf_map_free_kptrs(map, array->value + array->elem_size * i); + bpf_map_free_kptrs(map, array_map_elem_ptr(array, i)); bpf_map_free_kptr_off_tab(map); } =20 @@ -556,7 +560,7 @@ static void *bpf_array_map_seq_start(struct seq_file *s= eq, loff_t *pos) index =3D info->index & array->index_mask; if (info->percpu_value_buf) return array->pptrs[index]; - return array->value + array->elem_size * index; + return array_map_elem_ptr(array, index); } =20 static void *bpf_array_map_seq_next(struct seq_file *seq, void *v, loff_t = *pos) @@ -575,7 +579,7 @@ static void *bpf_array_map_seq_next(struct seq_file *se= q, void *v, loff_t *pos) index =3D info->index & array->index_mask; if (info->percpu_value_buf) return array->pptrs[index]; - return array->value + array->elem_size * index; + return array_map_elem_ptr(array, index); } =20 static int __bpf_array_map_seq_show(struct seq_file *seq, void *v) @@ -690,7 +694,7 @@ static int bpf_for_each_array_elem(struct bpf_map *map,= bpf_callback_t callback_ if (is_percpu) val =3D this_cpu_ptr(array->pptrs[i]); else - val =3D array->value + array->elem_size * i; + val =3D array_map_elem_ptr(array, i); num_elems++; key =3D i; ret =3D callback_fn((u64)(long)map, (u64)(long)&key, --=20 2.35.1