From patchwork Sun Oct 15 22:00:20 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Weinberger <richard@nod.at>
X-Patchwork-Id: 826056
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3yFb4b1PvPz9sxR
	for <patchwork-incoming@ozlabs.org>;
	Mon, 16 Oct 2017 09:01:03 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751411AbdJOWAw (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sun, 15 Oct 2017 18:00:52 -0400
Received: from mail.sigma-star.at ([95.130.255.111]:45996 "EHLO
	mail.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751235AbdJOWAv (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sun, 15 Oct 2017 18:00:51 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.sigma-star.at (Postfix) with ESMTP id 37D8E24E0011;
	Mon, 16 Oct 2017 00:00:41 +0200 (CEST)
Received: from blindfold.corp.sigma-star.at (richard.vpn.sigmapriv.at
	[10.3.0.5])
	by mail.sigma-star.at (Postfix) with ESMTPSA id 9A6A624E0010;
	Mon, 16 Oct 2017 00:00:39 +0200 (CEST)
From: Richard Weinberger <richard@nod.at>
To: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org,
	sp3485@columbia.edu, Richard Weinberger <richard@nod.at>
Subject: [PATCH] bpf: devmap: Check attr->max_entries more carefully
Date: Mon, 16 Oct 2017 00:00:20 +0200
Message-Id: <20171015220020.8157-1-richard@nod.at>
X-Mailer: git-send-email 2.13.6
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

max_entries is user controlled and used as input for __alloc_percpu().
This function expects that the allocation size is a power of two and
less than PCPU_MIN_UNIT_SIZE.
Otherwise a WARN() is triggered.

Fixes: 11393cc9b9be ("xdp: Add batching support to redirect map")
Reported-by: Shankara Pailoor <sp3485@columbia.edu>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
---
 kernel/bpf/devmap.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index e093d9a2c4dd..6ce00083103b 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -49,6 +49,7 @@
  */
 #include <linux/bpf.h>
 #include <linux/filter.h>
+#include <linux/log2.h>
 
 struct bpf_dtab_netdev {
 	struct net_device *dev;
@@ -77,6 +78,7 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr)
 	struct bpf_dtab *dtab;
 	int err = -EINVAL;
 	u64 cost;
+	size_t palloc_size;
 
 	/* check sanity of attributes */
 	if (attr->max_entries == 0 || attr->key_size != 4 ||
@@ -95,9 +97,14 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr)
 	dtab->map.map_flags = attr->map_flags;
 	dtab->map.numa_node = bpf_map_attr_numa_node(attr);
 
+	palloc_size = roundup_pow_of_two(dev_map_bitmap_size(attr));
+	if (palloc_size > PCPU_MIN_UNIT_SIZE ||
+	    palloc_size < dev_map_bitmap_size(attr))
+		return ERR_PTR(-EINVAL);
+
 	/* make sure page count doesn't overflow */
 	cost = (u64) dtab->map.max_entries * sizeof(struct bpf_dtab_netdev *);
-	cost += dev_map_bitmap_size(attr) * num_possible_cpus();
+	cost += palloc_size * num_possible_cpus();
 	if (cost >= U32_MAX - PAGE_SIZE)
 		goto free_dtab;
 
@@ -111,7 +118,7 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr)
 	err = -ENOMEM;
 
 	/* A per cpu bitfield with a bit per possible net device */
-	dtab->flush_needed = __alloc_percpu(dev_map_bitmap_size(attr),
+	dtab->flush_needed = __alloc_percpu(palloc_size,
 					    __alignof__(unsigned long));
 	if (!dtab->flush_needed)
 		goto free_dtab;