[PATCH net] nfp: bpf: prevent integer overflow in nfp_bpf_event_output()

From: Dan Carpenter
Date: Mon Jan 13 2025 - 01:18:58 EST

Next message: I Hsin Cheng: "[RFC PATCH] cpumask: Implement "random" version of cpumask_any_but()"
Previous message: Dan Carpenter: "[PATCH RESEND] ksmbd: fix integer overflows on 32 bit systems"
Next in thread: Alexander Lobakin: "Re: [PATCH net] nfp: bpf: prevent integer overflow in nfp_bpf_event_output()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The "sizeof(struct cmsg_bpf_event) + pkt_size + data_size" math could
potentially have an integer wrapping bug on 32bit systems. Check for
this and return an error.

Fixes: 9816dd35ecec ("nfp: bpf: perf event output helpers support")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/netronome/nfp/bpf/offload.c b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
index 9d97cd281f18..c03558adda91 100644
--- a/drivers/net/ethernet/netronome/nfp/bpf/offload.c
+++ b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
@@ -458,7 +458,8 @@ int nfp_bpf_event_output(struct nfp_app_bpf *bpf, const void *data,
map_id_full = be64_to_cpu(cbe->map_ptr);
map_id = map_id_full;

- if (len < sizeof(struct cmsg_bpf_event) + pkt_size + data_size)
+ if (size_add(pkt_size, data_size) > INT_MAX ||
+ len < sizeof(struct cmsg_bpf_event) + pkt_size + data_size)
return -EINVAL;
if (cbe->hdr.ver != NFP_CCM_ABI_VERSION)
return -EINVAL;
--
2.45.2

Next message: I Hsin Cheng: "[RFC PATCH] cpumask: Implement "random" version of cpumask_any_but()"
Previous message: Dan Carpenter: "[PATCH RESEND] ksmbd: fix integer overflows on 32 bit systems"
Next in thread: Alexander Lobakin: "Re: [PATCH net] nfp: bpf: prevent integer overflow in nfp_bpf_event_output()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]