{"release":{"tag":{"name":"4.19.90-2110.2.0","path":"/openeuler/kernel/tags/4.19.90-2110.2.0","tree_path":"/openeuler/kernel/tree/4.19.90-2110.2.0","message":"4.19.90-2110.2.0","commit":{"id":"baa4993a9c8f6adeaa0e5fb0ca5bd32da8a330b9","short_id":"baa4993","title":"bpf: Fix integer overflow in prealloc_elems_and_freelist()","title_markdown":"bpf: Fix integer overflow in prealloc_elems_and_freelist()","description":"\nmainline inclusion\nfrom mainline-5.15-rc4\ncommit 30e29a9a2bc6a4888335a6ede968b75cd329657a\ncategory: bugfix\nbugzilla: NA\nCVE: CVE-2021-41864\n\n-------------------------------------------------\n\nIn prealloc_elems_and_freelist(), the multiplication to calculate the\nsize passed to bpf_map_area_alloc() could lead to an integer overflow.\nAs a result, out-of-bounds write could occur in pcpu_freelist_populate()\nas reported by KASAN:\n\n[...]\n[   16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100\n[   16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78\n[   16.970038]\n[   16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1\n[   16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n[   16.972026] Call Trace:\n[   16.972306]  dump_stack_lvl+0x34/0x44\n[   16.972687]  print_address_description.constprop.0+0x21/0x140\n[   16.973297]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.973777]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.974257]  kasan_report.cold+0x7f/0x11b\n[   16.974681]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.975190]  pcpu_freelist_populate+0xd9/0x100\n[   16.975669]  stack_map_alloc+0x209/0x2a0\n[   16.976106]  __sys_bpf+0xd83/0x2ce0\n[...]\n\nThe possibility of this overflow was originally discussed in [0], but\nwas overlooked.\n\nFix the integer overflow by changing elem_size to u64 from u32.\n\n[0] https://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/\n\nFixes: 557c0c6e7df8 (\"bpf: convert stackmap to pre-allocation\")\nSigned-off-by: Tatsuhiko Yasumatsu \u003Cth.yasumatsu@gmail.com\u003E\nSigned-off-by: Daniel Borkmann \u003Cdaniel@iogearbox.net\u003E\nLink: https://lore.kernel.org/bpf/20210930135545.173698-1-th.yasumatsu@gmail.com\nSigned-off-by: Xu Kuohai \u003Cxukuohai@huawei.com\u003E\nReviewed-by: Yang Jihong \u003Cyangjihong1@huawei.com\u003E\nSigned-off-by: Yang Yingliang \u003Cyangyingliang@huawei.com\u003E","description_markdown":"mainline inclusion\nfrom mainline-5.15-rc4\ncommit 30e29a9a2bc6a4888335a6ede968b75cd329657a\ncategory: bugfix\nbugzilla: NA\nCVE: CVE-2021-41864\n-------------------------------------------------\nIn prealloc_elems_and_freelist(), the multiplication to calculate the\nsize passed to bpf_map_area_alloc() could lead to an integer overflow.\nAs a result, out-of-bounds write could occur in pcpu_freelist_populate()\nas reported by KASAN:\n[...]\n[   16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100\n[   16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78\n[   16.970038]\n[   16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1\n[   16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n[   16.972026] Call Trace:\n[   16.972306]  dump_stack_lvl+0x34/0x44\n[   16.972687]  print_address_description.constprop.0+0x21/0x140\n[   16.973297]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.973777]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.974257]  kasan_report.cold+0x7f/0x11b\n[   16.974681]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.975190]  pcpu_freelist_populate+0xd9/0x100\n[   16.975669]  stack_map_alloc+0x209/0x2a0\n[   16.976106]  __sys_bpf+0xd83/0x2ce0\n[...]\nThe possibility of this overflow was originally discussed in [0], but\nwas overlooked.\nFix the integer overflow by changing elem_size to u64 from u32.\n[0] \u003Ca href=\"https://gitee.com/link?target=https%3A%2F%2Flore.kernel.org%2Fbpf%2F728b238e-a481-eb50-98e9-b0f430ab01e7%40gmail.com%2F\"\u003Ehttps://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/\u003C/a\u003E\nFixes: 557c0c6e7df8 (\"bpf: convert stackmap to pre-allocation\")\nSigned-off-by: Tatsuhiko Yasumatsu \u003Ca href=\"mailto:th.yasumatsu@gmail.com\"\u003Eth.yasumatsu@gmail.com\u003C/a\u003E\nSigned-off-by: Daniel Borkmann \u003Ca href=\"mailto:daniel@iogearbox.net\"\u003Edaniel@iogearbox.net\u003C/a\u003E\nLink: \u003Ca href=\"https://gitee.com/link?target=https%3A%2F%2Flore.kernel.org%2Fbpf%2F20210930135545.173698-1-th.yasumatsu%40gmail.com\"\u003Ehttps://lore.kernel.org/bpf/20210930135545.173698-1-th.yasumatsu@gmail.com\u003C/a\u003E\nSigned-off-by: Xu Kuohai \u003Ca href=\"mailto:xukuohai@huawei.com\"\u003Exukuohai@huawei.com\u003C/a\u003E\nReviewed-by: Yang Jihong \u003Ca href=\"mailto:yangjihong1@huawei.com\"\u003Eyangjihong1@huawei.com\u003C/a\u003E\nSigned-off-by: Yang Yingliang \u003Ca href=\"mailto:yangyingliang@huawei.com\"\u003Eyangyingliang@huawei.com\u003C/a\u003E","message":"bpf: Fix integer overflow in prealloc_elems_and_freelist()\n\nmainline inclusion\nfrom mainline-5.15-rc4\ncommit 30e29a9a2bc6a4888335a6ede968b75cd329657a\ncategory: bugfix\nbugzilla: NA\nCVE: CVE-2021-41864\n\n-------------------------------------------------\n\nIn prealloc_elems_and_freelist(), the multiplication to calculate the\nsize passed to bpf_map_area_alloc() could lead to an integer overflow.\nAs a result, out-of-bounds write could occur in pcpu_freelist_populate()\nas reported by KASAN:\n\n[...]\n[   16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100\n[   16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78\n[   16.970038]\n[   16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1\n[   16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n[   16.972026] Call Trace:\n[   16.972306]  dump_stack_lvl+0x34/0x44\n[   16.972687]  print_address_description.constprop.0+0x21/0x140\n[   16.973297]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.973777]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.974257]  kasan_report.cold+0x7f/0x11b\n[   16.974681]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.975190]  pcpu_freelist_populate+0xd9/0x100\n[   16.975669]  stack_map_alloc+0x209/0x2a0\n[   16.976106]  __sys_bpf+0xd83/0x2ce0\n[...]\n\nThe possibility of this overflow was originally discussed in [0], but\nwas overlooked.\n\nFix the integer overflow by changing elem_size to u64 from u32.\n\n[0] https://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/\n\nFixes: 557c0c6e7df8 (\"bpf: convert stackmap to pre-allocation\")\nSigned-off-by: Tatsuhiko Yasumatsu \u003Cth.yasumatsu@gmail.com\u003E\nSigned-off-by: Daniel Borkmann \u003Cdaniel@iogearbox.net\u003E\nLink: https://lore.kernel.org/bpf/20210930135545.173698-1-th.yasumatsu@gmail.com\nSigned-off-by: Xu Kuohai \u003Cxukuohai@huawei.com\u003E\nReviewed-by: Yang Jihong \u003Cyangjihong1@huawei.com\u003E\nSigned-off-by: Yang Yingliang \u003Cyangyingliang@huawei.com\u003E\n","message_markdown":"bpf: Fix integer overflow in prealloc_elems_and_freelist()\nmainline inclusion\nfrom mainline-5.15-rc4\ncommit 30e29a9a2bc6a4888335a6ede968b75cd329657a\ncategory: bugfix\nbugzilla: NA\nCVE: CVE-2021-41864\n-------------------------------------------------\nIn prealloc_elems_and_freelist(), the multiplication to calculate the\nsize passed to bpf_map_area_alloc() could lead to an integer overflow.\nAs a result, out-of-bounds write could occur in pcpu_freelist_populate()\nas reported by KASAN:\n[...]\n[   16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100\n[   16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78\n[   16.970038]\n[   16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1\n[   16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n[   16.972026] Call Trace:\n[   16.972306]  dump_stack_lvl+0x34/0x44\n[   16.972687]  print_address_description.constprop.0+0x21/0x140\n[   16.973297]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.973777]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.974257]  kasan_report.cold+0x7f/0x11b\n[   16.974681]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.975190]  pcpu_freelist_populate+0xd9/0x100\n[   16.975669]  stack_map_alloc+0x209/0x2a0\n[   16.976106]  __sys_bpf+0xd83/0x2ce0\n[...]\nThe possibility of this overflow was originally discussed in [0], but\nwas overlooked.\nFix the integer overflow by changing elem_size to u64 from u32.\n[0] \u003Ca href=\"https://gitee.com/link?target=https%3A%2F%2Flore.kernel.org%2Fbpf%2F728b238e-a481-eb50-98e9-b0f430ab01e7%40gmail.com%2F\"\u003Ehttps://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/\u003C/a\u003E\nFixes: 557c0c6e7df8 (\"bpf: convert stackmap to pre-allocation\")\nSigned-off-by: Tatsuhiko Yasumatsu \u003Ca href=\"mailto:th.yasumatsu@gmail.com\"\u003Eth.yasumatsu@gmail.com\u003C/a\u003E\nSigned-off-by: Daniel Borkmann \u003Ca href=\"mailto:daniel@iogearbox.net\"\u003Edaniel@iogearbox.net\u003C/a\u003E\nLink: \u003Ca href=\"https://gitee.com/link?target=https%3A%2F%2Flore.kernel.org%2Fbpf%2F20210930135545.173698-1-th.yasumatsu%40gmail.com\"\u003Ehttps://lore.kernel.org/bpf/20210930135545.173698-1-th.yasumatsu@gmail.com\u003C/a\u003E\nSigned-off-by: Xu Kuohai \u003Ca href=\"mailto:xukuohai@huawei.com\"\u003Exukuohai@huawei.com\u003C/a\u003E\nReviewed-by: Yang Jihong \u003Ca href=\"mailto:yangjihong1@huawei.com\"\u003Eyangjihong1@huawei.com\u003C/a\u003E\nSigned-off-by: Yang Yingliang \u003Ca href=\"mailto:yangyingliang@huawei.com\"\u003Eyangyingliang@huawei.com\u003C/a\u003E","detail_path":"/openeuler/kernel/commit/baa4993a9c8f6adeaa0e5fb0ca5bd32da8a330b9","commits_path":"/openeuler/kernel/commits/baa4993a9c8f6adeaa0e5fb0ca5bd32da8a330b9","tree_path":"/openeuler/kernel/tree/baa4993a9c8f6adeaa0e5fb0ca5bd32da8a330b9","author":{"name":"Xu Kuohai","email":"xukuohai@huawei.com","username":"xukuohai","user_path":"/xukuohai","enterprise_user_path":null,"image_path":"no_portrait.png#Xu Kuohai-xukuohai","is_gitee_user":true,"is_enterprise_user":false,"widget_url":""},"committer":{"name":"YangYingliang","email":"yangyingliang@huawei.com","username":"yangyingliang","user_path":"/yangyingliang","enterprise_user_path":"/open_euler/dashboard/members/yangyingliang","image_path":"no_portrait.png#YangYingliang-yangyingliang","is_gitee_user":true,"is_enterprise_user":true,"widget_url":""},"authored_date":"2021-10-11T20:15:41+08:00","committed_date":"2021-10-11T20:12:22+08:00","signature":null,"build_state":null},"archive_path":"/openeuler/kernel/repository/archive/4.19.90-2110.2.0","signature":null},"operating":{"edit":false,"download":true,"destroy":false,"enterprise_forbid_zip":false},"release":{"title":"openEuler 20.03 update 4.19.90-2110.2.0","path":"/openeuler/kernel/releases/tag/4.19.90-2110.2.0","tag_path":"/openeuler/kernel/tree/4.19.90-2110.2.0","project_id":7696525,"created_at":"2021-10-11T20:47:00+08:00","is_prerelease":false,"description":"# 1 CVE\r\n-------\r\n\r\n| CVE | issue |\r\n|:---:|:-----:|\r\n| CVE-2021-41864 | #I4CZ32 |\r\n","author":{"name":"成坚  (CHENG Jian)","username":"gatieme","path":"/gatieme","avatar_url":"no_portrait.png#成坚  (CHENG Jian)-gatieme"},"attach_files":[],"zip_download_url":"/openeuler/kernel/releases/tag/4.19.90-2110.2.0.zip","tar_download_url":"/openeuler/kernel/releases/tag/4.19.90-2110.2.0.tar.gz"}}}