Skip to content

Commit b8d5b7c

Browse files
davem330davem330
committed
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says: ==================== pull-request: bpf 2018-10-05 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Fix to truncate input on ALU operations in 32 bit mode, from Jann. 2) Fixes for cgroup local storage to reject reserved flags on element update and rejection of map allocation with zero-sized value, from Roman. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2 parents 7e41837 + b799207 commit b8d5b7c

File tree

2 files changed

+13
-2
lines changed

2 files changed

+13
-2
lines changed

kernel/bpf/local_storage.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@ static int cgroup_storage_update_elem(struct bpf_map *map, void *_key,
129129
struct bpf_cgroup_storage *storage;
130130
struct bpf_storage_buffer *new;
131131

132-
if (flags & BPF_NOEXIST)
132+
if (flags != BPF_ANY && flags != BPF_EXIST)
133133
return -EINVAL;
134134

135135
storage = cgroup_storage_lookup((struct bpf_cgroup_storage_map *)map,
@@ -195,6 +195,9 @@ static struct bpf_map *cgroup_storage_map_alloc(union bpf_attr *attr)
195195
if (attr->key_size != sizeof(struct bpf_cgroup_storage_key))
196196
return ERR_PTR(-EINVAL);
197197

198+
if (attr->value_size == 0)
199+
return ERR_PTR(-EINVAL);
200+
198201
if (attr->value_size > PAGE_SIZE)
199202
return ERR_PTR(-E2BIG);
200203

kernel/bpf/verifier.c

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2896,6 +2896,15 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
28962896
u64 umin_val, umax_val;
28972897
u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
28982898

2899+
if (insn_bitness == 32) {
2900+
/* Relevant for 32-bit RSH: Information can propagate towards
2901+
* LSB, so it isn't sufficient to only truncate the output to
2902+
* 32 bits.
2903+
*/
2904+
coerce_reg_to_size(dst_reg, 4);
2905+
coerce_reg_to_size(&src_reg, 4);
2906+
}
2907+
28992908
smin_val = src_reg.smin_value;
29002909
smax_val = src_reg.smax_value;
29012910
umin_val = src_reg.umin_value;
@@ -3131,7 +3140,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
31313140
if (BPF_CLASS(insn->code) != BPF_ALU64) {
31323141
/* 32-bit ALU ops are (32,32)->32 */
31333142
coerce_reg_to_size(dst_reg, 4);
3134-
coerce_reg_to_size(&src_reg, 4);
31353143
}
31363144

31373145
__reg_deduce_bounds(dst_reg);

0 commit comments

Comments
 (0)