| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20181122163519.7299-1-ww9210@gmail.com>
Date: Fri, 23 Nov 2018 00:35:19 +0800
From: ww9210 <ww9210@...il.com>
To: Alexei Starovoitov <ast@...nel.org>
Cc: Daniel Borkmann <daniel@...earbox.net>,
netdev <netdev@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>, Greg KH <greg@...ah.com>,
ww9210 <ww9210@...il.com>
Subject: [PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc.
Integer overflow in queue_stack_map_alloc when calculating size may lead to heap overflow of arbitrary length.
The patch fix it by checking whether attr->max_entries+1 < attr->max_entries and bailing out if it is the case.
The vulnerability is discovered with the assistance of syzkaller.
Reported-by: Wei Wu <ww9210@...il.com>
To: Alexei Starovoitov <ast@...nel.org>
Cc: Daniel Borkmann <daniel@...earbox.net>
Cc: netdev <netdev@...r.kernel.org>
Cc: Eric Dumazet <edumazet@...gle.com>
Cc: Greg KH <greg@...ah.com>
Signed-off-by: Wei Wu <ww9210@...il.com>
---
kernel/bpf/queue_stack_maps.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
index 8bbd72d3a121..c35a8a4721c8 100644
--- a/kernel/bpf/queue_stack_maps.c
+++ b/kernel/bpf/queue_stack_maps.c
@@ -67,6 +67,8 @@ static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr)
u64 queue_size, cost;
size = attr->max_entries + 1;
+ if (size < attr->max_entries)
+ return ERR_PTR(-EINVAL);
value_size = attr->value_size;
queue_size = sizeof(*qs) + (u64) value_size * size;
--
2.17.1
Powered by blists - more mailing lists