tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'for-net' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Alexei Starovoitov says:

====================
pull-request: bpf 2024-03-27

The following pull-request contains BPF updates for your *net* tree.

We've added 4 non-merge commits during the last 1 day(s) which contain
a total of 5 files changed, 26 insertions(+), 3 deletions(-).

The main changes are:

1) Fix bloom filter value size validation and protect the verifier
against such mistakes, from Andrei.

2) Fix build due to CONFIG_KEXEC_CORE/CRASH_DUMP split, from Hari.

3) Update bpf_lsm maintainers entry, from Matt.

* tag 'for-net' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
bpf: update BPF LSM designated reviewer list
bpf: Protect against int overflow for stack access size
bpf: Check bloom filter map value size
bpf: fix warning for crash_kexec
====================

Link: https://lore.kernel.org/r/20240328012938.24249-1-alexei.starovoitov@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Paolo Abeni 7e6f4b2a 56d2f48e

+26 -3
+1 -2
MAINTAINERS
··· 3941 3941 3942 3942 BPF [SECURITY & LSM] (Security Audit and Enforcement using BPF) 3943 3943 M: KP Singh <kpsingh@kernel.org> 3944 - R: Florent Revest <revest@chromium.org> 3945 - R: Brendan Jackman <jackmanb@chromium.org> 3944 + R: Matt Bobrowski <mattbobrowski@google.com> 3946 3945 L: bpf@vger.kernel.org 3947 3946 S: Maintained 3948 3947 F: Documentation/bpf/prog_lsm.rst
+13
kernel/bpf/bloom_filter.c
··· 80 80 return -EOPNOTSUPP; 81 81 } 82 82 83 + /* Called from syscall */ 84 + static int bloom_map_alloc_check(union bpf_attr *attr) 85 + { 86 + if (attr->value_size > KMALLOC_MAX_SIZE) 87 + /* if value_size is bigger, the user space won't be able to 88 + * access the elements. 89 + */ 90 + return -E2BIG; 91 + 92 + return 0; 93 + } 94 + 83 95 static struct bpf_map *bloom_map_alloc(union bpf_attr *attr) 84 96 { 85 97 u32 bitset_bytes, bitset_mask, nr_hash_funcs, nr_bits; ··· 203 191 BTF_ID_LIST_SINGLE(bpf_bloom_map_btf_ids, struct, bpf_bloom_filter) 204 192 const struct bpf_map_ops bloom_filter_map_ops = { 205 193 .map_meta_equal = bpf_map_meta_equal, 194 + .map_alloc_check = bloom_map_alloc_check, 206 195 .map_alloc = bloom_map_alloc, 207 196 .map_free = bloom_map_free, 208 197 .map_get_next_key = bloom_map_get_next_key,
+1 -1
kernel/bpf/helpers.c
··· 2548 2548 __bpf_kfunc_end_defs(); 2549 2549 2550 2550 BTF_KFUNCS_START(generic_btf_ids) 2551 - #ifdef CONFIG_KEXEC_CORE 2551 + #ifdef CONFIG_CRASH_DUMP 2552 2552 BTF_ID_FLAGS(func, crash_kexec, KF_DESTRUCTIVE) 2553 2553 #endif 2554 2554 BTF_ID_FLAGS(func, bpf_obj_new_impl, KF_ACQUIRE | KF_RET_NULL)
+5
kernel/bpf/verifier.c
··· 6701 6701 err = check_stack_slot_within_bounds(env, min_off, state, type); 6702 6702 if (!err && max_off > 0) 6703 6703 err = -EINVAL; /* out of stack access into non-negative offsets */ 6704 + if (!err && access_size < 0) 6705 + /* access_size should not be negative (or overflow an int); others checks 6706 + * along the way should have prevented such an access. 6707 + */ 6708 + err = -EFAULT; /* invalid negative access size; integer overflow? */ 6704 6709 6705 6710 if (err) { 6706 6711 if (tnum_is_const(reg->var_off)) {
+6
tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c
··· 2 2 /* Copyright (c) 2021 Facebook */ 3 3 4 4 #include <sys/syscall.h> 5 + #include <limits.h> 5 6 #include <test_progs.h> 6 7 #include "bloom_filter_map.skel.h" 7 8 ··· 20 19 /* Invalid value size */ 21 20 fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, 0, 100, NULL); 22 21 if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid value size 0")) 22 + close(fd); 23 + 24 + /* Invalid value size: too big */ 25 + fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, INT32_MAX, 100, NULL); 26 + if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid value too large")) 23 27 close(fd); 24 28 25 29 /* Invalid max entries size */