On Thu, May 26, 2022 at 01:24:05PM +0300, Dan Carpenter wrote:
> The kvmalloc_array() function is safer because it has a check for
> integer overflows. These sizes come from the user and I was not
> able to see any bounds checking so an integer overflow seems like a
> realistic concern.
>
> Fixes: 0dcac2725406 ("bpf: Add multi kprobe link")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Eugene was addressing these:
https://lore.kernel.org/bpf/399e634781822329e856103cddba975f58f0498c.1652982525.git.esyr@xxxxxxxxxx/
I think using kvmalloc_array was one of the review comments
jirka
> ---
> kernel/trace/bpf_trace.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 10b157a6d73e..7a13e6ac6327 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -2263,11 +2263,11 @@ static int copy_user_syms(struct user_syms *us, unsigned long __user *usyms, u32
> int err = -ENOMEM;
> unsigned int i;
>
> - syms = kvmalloc(cnt * sizeof(*syms), GFP_KERNEL);
> + syms = kvmalloc_array(cnt, sizeof(*syms), GFP_KERNEL);
> if (!syms)
> goto error;
>
> - buf = kvmalloc(cnt * KSYM_NAME_LEN, GFP_KERNEL);
> + buf = kvmalloc_array(cnt, KSYM_NAME_LEN, GFP_KERNEL);
> if (!buf)
> goto error;
>
> @@ -2464,7 +2464,7 @@ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
> return -EINVAL;
>
> size = cnt * sizeof(*addrs);
> - addrs = kvmalloc(size, GFP_KERNEL);
> + addrs = kvmalloc_array(cnt, sizeof(*addrs), GFP_KERNEL);
> if (!addrs)
> return -ENOMEM;
>
> @@ -2489,7 +2489,7 @@ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
>
> ucookies = u64_to_user_ptr(attr->link_create.kprobe_multi.cookies);
> if (ucookies) {
> - cookies = kvmalloc(size, GFP_KERNEL);
> + cookies = kvmalloc_array(cnt, sizeof(*addrs), GFP_KERNEL);
> if (!cookies) {
> err = -ENOMEM;
> goto error;
> --
> 2.35.1
>
