Re: [PATCH] bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc

[Bui Quang Minh]

On Wed, Jan 27, 2021 at 11:23:41AM +0700, Bui Quang Minh wrote:
> > * Seems like there are quite a few similar calls scattered around
> > (cpumap, etc.). Did you audit these as well?
> 
> I spotted another bug after re-auditting. In hashtab, there ares 2 places using
> the same calls
> 
> 	static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
> 	{
> 		/* ... snip ... */
> 		if (htab->n_buckets == 0 ||
> 		    htab->n_buckets > U32_MAX / sizeof(struct bucket))
> 			goto free_htab;
> 
> 		htab->buckets = bpf_map_area_alloc(htab->n_buckets *
> 						   sizeof(struct bucket),
> 						   htab->map.numa_node);
> 	}
> 
> This is safe because of the above check.
> 
> 	static int prealloc_init(struct bpf_htab *htab)
> 	{
> 		u32 num_entries = htab->map.max_entries;
> 		htab->elems = bpf_map_area_alloc(htab->elem_size * num_entries,
> 						 htab->map.numa_node);
> 	}
> 
> This is not safe since there is no limit check in elem_size.

So sorry but I rechecked and saw this bug in hashtab has been fixed with commit
e1868b9e36d0ca

Thank you,
Quang Minh.