libbpf: Handle size overflow for user ringbuf mmap

Similar with the overflow problem on ringbuf mmap, in user_ringbuf_map()
2 * max_entries may overflow u32 when mapping writeable region.

Fixing it by casting the size of writable mmap region into a __u64 and
checking whether or not there will be overflow during mmap.

Fixes: b66ccae01f1d ("bpf: Add libbpf logic for user-space ring buffer")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20221116072351.1168938-4-houtao@huaweicloud.com

diff --git a/tools/lib/bpf/ringbuf.c b/tools/lib/bpf/ringbuf.c
index 8d26684..5c4401c 100644 (file)
--- a/tools/lib/bpf/ringbuf.c
+++ b/tools/lib/bpf/ringbuf.c
@@ -352,6 +352,7 @@ static int user_ringbuf_map(struct user_ring_buffer *rb, int map_fd)
 {
        struct bpf_map_info info;
        __u32 len = sizeof(info);
+       __u64 mmap_sz;
        void *tmp;
        struct epoll_event *rb_epoll;
        int err;
@@ -388,8 +389,13 @@ static int user_ringbuf_map(struct user_ring_buffer *rb, int map_fd)
         * simple reading and writing of samples that wrap around the end of
         * the buffer.  See the kernel implementation for details.
         */
-       tmp = mmap(NULL, rb->page_size + 2 * info.max_entries,
-                  PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, rb->page_size);
+       mmap_sz = rb->page_size + 2 * (__u64)info.max_entries;
+       if (mmap_sz != (__u64)(size_t)mmap_sz) {
+               pr_warn("user ringbuf: ring buf size (%u) is too big\n", info.max_entries);
+               return -E2BIG;
+       }
+       tmp = mmap(NULL, (size_t)mmap_sz, PROT_READ | PROT_WRITE, MAP_SHARED,
+                  map_fd, rb->page_size);
        if (tmp == MAP_FAILED) {
                err = -errno;
                pr_warn("user ringbuf: failed to mmap data pages for map fd=%d: %d\n",