Integer overflow in queue_stack_map_alloc when calculating size may lead to heap overflow of arbitrary length. The patch fix it by checking whether attr->max_entries+1 < attr->max_entries and bailing out if it is the case. The vulnerability is discovered with the assistance of syzkaller.
Reported-by: Wei Wu <ww9...@gmail.com> To: Alexei Starovoitov <a...@kernel.org> Cc: Daniel Borkmann <dan...@iogearbox.net> Cc: netdev <netdev@vger.kernel.org> Cc: Eric Dumazet <eduma...@google.com> Cc: Greg KH <g...@kroah.com> Signed-off-by: Wei Wu <ww9...@gmail.com> --- kernel/bpf/queue_stack_maps.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c index 8bbd72d3a121..c35a8a4721c8 100644 --- a/kernel/bpf/queue_stack_maps.c +++ b/kernel/bpf/queue_stack_maps.c @@ -67,6 +67,8 @@ static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr) u64 queue_size, cost; size = attr->max_entries + 1; + if (size < attr->max_entries) + return ERR_PTR(-EINVAL); value_size = attr->value_size; queue_size = sizeof(*qs) + (u64) value_size * size; -- 2.17.1