Skip to content

Commit

Permalink
bpf, ringbuf: Deny reserve of buffers larger than ringbuf
Browse files Browse the repository at this point in the history 
A BPF program might try to reserve a buffer larger than the ringbuf size.
If the consumer pointer is way ahead of the producer, that would be
successfully reserved, allowing the BPF program to read or write out of
the ringbuf allocated area.

Reported-by: Ryota Shiga (Flatt Security)
Fixes: 457f443 ("bpf: Implement BPF ring buffer and verifier support for it")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Alexei Starovoitov <ast@kernel.org>
  • Loading branch information
Thadeu Lima de Souza Cascardo authored and Daniel Borkmann committed May 11, 2021
1 parent 049c4e1 commit 4b81cce
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions kernel/bpf/ringbuf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,9 @@ static void *__bpf_ringbuf_reserve(struct bpf_ringbuf *rb, u64 size)
return NULL;

len = round_up(size + BPF_RINGBUF_HDR_SZ, 8);
if (len > rb->mask + 1)
return NULL;

cons_pos = smp_load_acquire(&rb->consumer_pos);

if (in_nmi()) {
Expand Down

0 comments on commit 4b81cce

Please sign in to comment.