subject:"user\-controllable kmalloc size in bpf syscall"

Re: user-controllable kmalloc size in bpf syscall

2015-11-29 Thread Alexei Starovoitov

On Sun, Nov 29, 2015 at 02:18:29PM +0100, Dmitry Vyukov wrote: > ca.key_size = 1; > ca.value_size = 0xfff9; > ca.max_entries = 10; > int fd = syscall(SYS_bpf, BPF_MAP_CREATE, &ca, sizeof(ca)); ... > [ cut here ] > WARNING: CPU: 2 PID: 1112

user-controllable kmalloc size in bpf syscall

2015-11-29 Thread Dmitry Vyukov

Hello, The following program triggers a WARNING in kmalloc: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #define SYS_bpf 321 #define BPF_MAP_CREATE0 #define BPF_MAP_UPDATE_ELEM2 union bpf_attr {