On Wed, Jan 27, 2021 at 11:23:41AM +0700, Bui Quang Minh wrote:
> > * Seems like there are quite a few similar calls scattered around
> > (cpumap, etc.). Did you audit these as well?
>
> I spotted another bug after re-auditting. In hashtab, there ares 2 places using
> the same calls
>
> static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
> {
> /* ... snip ... */
> if (htab->n_buckets == 0 ||
> htab->n_buckets > U32_MAX / sizeof(struct bucket))
> goto free_htab;
>
> htab->buckets = bpf_map_area_alloc(htab->n_buckets *
> sizeof(struct bucket),
> htab->map.numa_node);
> }
>
> This is safe because of the above check.
>
> static int prealloc_init(struct bpf_htab *htab)
> {
> u32 num_entries = htab->map.max_entries;
> htab->elems = bpf_map_area_alloc(htab->elem_size * num_entries,
> htab->map.numa_node);
> }
>
> This is not safe since there is no limit check in elem_size.
So sorry but I rechecked and saw this bug in hashtab has been fixed with commit
e1868b9e36d0ca
Thank you,
Quang Minh.
