On Fri, Jan 22, 2021 at 8:43 AM Loris Reiff <loris.reiff@xxxxxxxxx> wrote:
>
> Since ctx.optlen is signed, a larger value than max_value could be
> passed, as it is later on used as unsigned, which causes a WARN_ON_ONCE
> in the copy_to_user.
>
> Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
> Signed-off-by: Loris Reiff <loris.reiff@xxxxxxxxx>
> ---
> kernel/bpf/cgroup.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index 6ec8f02f4..6aa9e10c6 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
> @@ -1464,7 +1464,7 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level,
> goto out;
> }
>
> - if (ctx.optlen > max_optlen) {
> + if (ctx.optlen > max_optlen || ctx.optlen < 0) {
> ret = -EFAULT;
> goto out;
> }
> --
> 2.29.2
Thanks! I assume this is only an issue if the BPF program is written
incorrectly.
Reviewed-by: Stanislav Fomichev <sdf@xxxxxxxxxx>
