Re: general protection fault in cgroup_fd_array_put_ptr

From: Daniel Borkmann
Date: Wed Jan 10 2018 - 11:23:50 EST


On 01/10/2018 04:30 PM, Daniel Borkmann wrote:
> On 01/10/2018 01:58 PM, syzbot wrote:
>> Hello,
>>
>> syzkaller hit the following crash on b4464bcab38d3f7fe995a7cb960eeac6889bec08
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>> C reproducer is attached
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>
> Currently looking into all of the reports. Looks they're all related to fd array
> map. Will get back once I have some more data & managed to reproduce.

Ok, I know what's going on. Very roughly, we need something like the below
to check for overflows, this definitely fixes it for me. Cooking a proper
patch and doing some more analysis around it.

diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index aaa3198..454f52c 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -76,11 +76,17 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
max_entries = attr->max_entries;
index_mask = roundup_pow_of_two(max_entries) - 1;

- if (unpriv)
+ if (unpriv) {
/* round up array size to nearest power of 2,
* since cpu will speculate within index_mask limits
*/
max_entries = index_mask + 1;
+ if (max_entries < attr->max_entries)
+ return ERR_PTR(-E2BIG);
+ }

array_size = sizeof(*array);
if (percpu)