forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

bpf, ringbuf: Deny reserve of buffers larger than ringbuf

Browse source 
commit 4b81ccebae upstream.

A BPF program might try to reserve a buffer larger than the ringbuf size.
If the consumer pointer is way ahead of the producer, that would be
successfully reserved, allowing the BPF program to read or write out of
the ringbuf allocated area.

Reported-by: Ryota Shiga (Flatt Security)
Fixes: 457f44363a ("bpf: Implement BPF ring buffer and verifier support for it")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Thadeu Lima de Souza Cascardo 2021-04-27 10:12:12 -03:00 committed by Greg Kroah-Hartman
commit 1ca284f086
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
kernel/bpf/ringbuf.c
View file

@ -334,6 +334,9 @@ static void *__bpf_ringbuf_reserve(struct bpf_ringbuf *rb, u64 size)
return NULL;
len = round_up(size + BPF_RINGBUF_HDR_SZ, 8);
if (len > rb->mask + 1)
return NULL;
cons_pos = smp_load_acquire(&rb->consumer_pos);
if (in_nmi()) {