Commit 16ebb6f5 authored Jan 13, 2025 by Dan Carpenter Committed by Jakub Kicinski Jan 14, 2025

nfp: bpf: prevent integer overflow in nfp_bpf_event_output()



The "sizeof(struct cmsg_bpf_event) + pkt_size + data_size" math could
potentially have an integer wrapping bug on 32bit systems.  Check for
this and return an error.

Fixes: 9816dd35 ("nfp: bpf: perf event output helpers support")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/6074805b-e78d-4b8a-bf05-e929b5377c28@stanley.mountain


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent f62bb887

drivers/net/ethernet/netronome/nfp/bpf/offload.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -458,7 +458,8 @@ int nfp_bpf_event_output(struct nfp_app_bpf bpf, const void data,
		map_id_full = be64_to_cpu(cbe->map_ptr);
		map_id = map_id_full;

		if (len < sizeof(struct cmsg_bpf_event) + pkt_size + data_size)
		if (size_add(pkt_size, data_size) > INT_MAX \|\|
		len < sizeof(struct cmsg_bpf_event) + pkt_size + data_size)
		return -EINVAL;
		if (cbe->hdr.ver != NFP_CCM_ABI_VERSION)
		return -EINVAL;