summaryrefslogtreecommitdiffstats
path: root/kernel/bpf/hashtab.c
diff options
context:
space:
mode:
authorAlexei Starovoitov <ast@plumgrid.com>2014-11-19 02:32:16 +0100
committerDavid S. Miller <davem@davemloft.net>2014-11-19 21:40:00 +0100
commitdaaf427c6ab392bedcd018e326b2ffa1e1110cd6 (patch)
tree48b565eb6791a0e49f42dccb6a2873f94492280c /kernel/bpf/hashtab.c
parentnetlink: Deletion of an unnecessary check before the function call "__module_... (diff)
downloadlinux-daaf427c6ab392bedcd018e326b2ffa1e1110cd6.tar.xz
linux-daaf427c6ab392bedcd018e326b2ffa1e1110cd6.zip
bpf: fix arraymap NULL deref and missing overflow and zero size checks
- fix NULL pointer dereference: kernel/bpf/arraymap.c:41 array_map_alloc() error: potential null dereference 'array'. (kzalloc returns null) kernel/bpf/arraymap.c:41 array_map_alloc() error: we previously assumed 'array' could be null (see line 40) - integer overflow check was missing in arraymap (hashmap checks for overflow via kmalloc_array()) - arraymap can round_up(value_size, 8) to zero. check was missing. - hashmap was missing zero size check as well, since roundup_pow_of_two() can truncate into zero - found a typo in the arraymap comment and unnecessary empty line Fix all of these issues and make both overflow checks explicit U32 in size. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
-rw-r--r--kernel/bpf/hashtab.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index d234a012f046..b3ba43674310 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -65,6 +65,11 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
goto free_htab;
err = -ENOMEM;
+ /* prevent zero size kmalloc and check for u32 overflow */
+ if (htab->n_buckets == 0 ||
+ htab->n_buckets > U32_MAX / sizeof(struct hlist_head))
+ goto free_htab;
+
htab->buckets = kmalloc_array(htab->n_buckets, sizeof(struct hlist_head),
GFP_USER | __GFP_NOWARN);