CVE-2024-26885

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix DEVMAP_HASH overflow check on 32-bit arches<br /> <br /> The devmap code allocates a number hash buckets equal to the next power<br /> of two of the max_entries value provided when creating the map. When<br /> rounding up to the next power of two, the 32-bit variable storing the<br /> number of buckets can overflow, and the code checks for overflow by<br /> checking if the truncated 32-bit value is equal to 0. However, on 32-bit<br /> arches the rounding up itself can overflow mid-way through, because it<br /> ends up doing a left-shift of 32 bits on an unsigned long value. If the<br /> size of an unsigned long is four bytes, this is undefined behaviour, so<br /> there is no guarantee that we&amp;#39;ll end up with a nice and tidy 0-value at<br /> the end.<br /> <br /> Syzbot managed to turn this into a crash on arm32 by creating a<br /> DEVMAP_HASH with max_entries &gt; 0x80000000 and then trying to update it.<br /> Fix this by moving the overflow check to before the rounding up<br /> operation.