From patchwork Wed May 12 14:51:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 438119 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E907C46466 for ; Wed, 12 May 2021 16:31:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 066AC60FEE for ; Wed, 12 May 2021 16:31:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234314AbhELQcC (ORCPT ); Wed, 12 May 2021 12:32:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:40576 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241108AbhELQ0Y (ORCPT ); Wed, 12 May 2021 12:26:24 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D5510619C5; Wed, 12 May 2021 15:49:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620834583; bh=iL9F0uU2nkg5CIRC/Gc/9Qbk5I/M2tuzeiAsq5MVDQM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d7qbfxKBmzNDiHGdtJc2kV8axOQ1Kffwxcr+lejDaiXCkc2URhcw07jJlQzM8QQem iDcgOu2IKHypUEkrQPaxwL8FT9mE82buO4PwqqqsTMRLCJe/5uqmKzkQmqL1o7jYuJ 2Gf0DoR8uhjxXs1nB/zD9vk7O4URjHp7uJZjzIbY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thadeu Lima de Souza Cascardo , Daniel Borkmann , Andrii Nakryiko , Alexei Starovoitov Subject: [PATCH 5.11 596/601] bpf, ringbuf: Deny reserve of buffers larger than ringbuf Date: Wed, 12 May 2021 16:51:13 +0200 Message-Id: <20210512144847.483743346@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144827.811958675@linuxfoundation.org> References: <20210512144827.811958675@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Thadeu Lima de Souza Cascardo commit 4b81ccebaeee885ab1aa1438133f2991e3a2b6ea upstream. A BPF program might try to reserve a buffer larger than the ringbuf size. If the consumer pointer is way ahead of the producer, that would be successfully reserved, allowing the BPF program to read or write out of the ringbuf allocated area. Reported-by: Ryota Shiga (Flatt Security) Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/ringbuf.c | 3 +++ 1 file changed, 3 insertions(+) --- a/kernel/bpf/ringbuf.c +++ b/kernel/bpf/ringbuf.c @@ -315,6 +315,9 @@ static void *__bpf_ringbuf_reserve(struc return NULL; len = round_up(size + BPF_RINGBUF_HDR_SZ, 8); + if (len > rb->mask + 1) + return NULL; + cons_pos = smp_load_acquire(&rb->consumer_pos); if (in_nmi()) {