On 01/10/2018 04:30 PM, Daniel Borkmann wrote: > On 01/10/2018 01:58 PM, syzbot wrote: >> Hello, >> >> syzkaller hit the following crash on b4464bcab38d3f7fe995a7cb960eeac6889bec08 >> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached >> Raw console output is attached. >> C reproducer is attached >> syzkaller reproducer is attached. See https://goo.gl/kgGztJ >> for information about syzkaller reproducers > > Currently looking into all of the reports. Looks they're all related to fd > array > map. Will get back once I have some more data & managed to reproduce.
Ok, I know what's going on. Very roughly, we need something like the below to check for overflows, this definitely fixes it for me. Cooking a proper patch and doing some more analysis around it. diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c index aaa3198..454f52c 100644 --- a/kernel/bpf/arraymap.c +++ b/kernel/bpf/arraymap.c @@ -76,11 +76,17 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) max_entries = attr->max_entries; index_mask = roundup_pow_of_two(max_entries) - 1; - if (unpriv) + if (unpriv) { /* round up array size to nearest power of 2, * since cpu will speculate within index_mask limits */ max_entries = index_mask + 1; + if (max_entries < attr->max_entries) + return ERR_PTR(-E2BIG); + } array_size = sizeof(*array); if (percpu)