Function `evst_pool_init` for malicious or corrupt BPF program with
number of conditional jumps exceeding a third of UINT32_MAX could cause
arithmetic and buffer overflows when working with the program graph.
Fix the issue by limiting maximum number of conditional jumps supported
by UINT32_MAX / 4, or more than 1 billion.
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: [email protected]
Signed-off-by: Marat Khalili <[email protected]>
---
lib/bpf/bpf_validate.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 35b7d4ad83f6..23311a36d14e 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -2662,6 +2662,10 @@ evst_pool_init(struct bpf_verifier *bvf)
{
uint32_t k, n;
+ if (bvf->nb_jcc_nodes > UINT32_MAX / 4)
+ /* Calculations that follow may overflow. */
+ return -E2BIG;
+
/*
* We need nb_jcc_nodes + 1 for save_cur/restore_cur
* remaining ones will be used for state tracking/pruning.
--
2.43.0
