rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: a0a129f8b6cff54ab479324a54aefdab5db4f240 [log] [tgz]
author: Xi Wang <xi.wang@gmail.com> Thu Dec 22 13:35:22 2011 +0000
committer: David S. Miller <davem@davemloft.net> Thu Dec 22 22:34:56 2011 -0500
tree: d3e74b3a59e0fd9c1173852d200eb8491918a3ff
parent: e688a604807647c9450f9c12a7cb6d027150a895 [diff] [blame]
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index c71c434..385aefe 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c

@@ -665,11 +665,14 @@
 	if (count) {
 		int i;
 
-		if (count > 1<<30) {
+		if (count > INT_MAX)
+			return -EINVAL;
+		count = roundup_pow_of_two(count);
+		if (count > (ULONG_MAX - sizeof(struct rps_dev_flow_table))
+				/ sizeof(struct rps_dev_flow)) {
 			/* Enforce a limit to prevent overflow */
 			return -EINVAL;
 		}
-		count = roundup_pow_of_two(count);
 		table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
 		if (!table)
 			return -ENOMEM;
commit	a0a129f8b6cff54ab479324a54aefdab5db4f240	[log] [tgz]
author	Xi Wang <xi.wang@gmail.com>	Thu Dec 22 13:35:22 2011 +0000
committer	David S. Miller <davem@davemloft.net>	Thu Dec 22 22:34:56 2011 -0500
tree	d3e74b3a59e0fd9c1173852d200eb8491918a3ff
parent	e688a604807647c9450f9c12a7cb6d027150a895 [diff] [blame]