]> git.baikalelectronics.ru Git - kernel.git/commitdiff
xsk: Add missing check on user supplied headroom size
authorMagnus Karlsson <magnus.karlsson@intel.com>
Tue, 14 Apr 2020 07:35:15 +0000 (09:35 +0200)
committerDaniel Borkmann <daniel@iogearbox.net>
Wed, 15 Apr 2020 11:07:18 +0000 (13:07 +0200)
Add a check that the headroom cannot be larger than the available
space in the chunk. In the current code, a malicious user can set the
headroom to a value larger than the chunk size minus the fixed XDP
headroom. That way packets with a length larger than the supported
size in the umem could get accepted and result in an out-of-bounds
write.

Fixes: 5fb4c4086995 ("xsk: add user memory registration support sockopt")
Reported-by: Bui Quang Minh <minhquangbui99@gmail.com>
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=207225
Link: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com
net/xdp/xdp_umem.c

index fa7bb5e060d0c1bc29053fef34debbfc683c8be5..ed7a6060f73cadc9c0b812898be9132387a70846 100644 (file)
@@ -343,7 +343,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
        u32 chunk_size = mr->chunk_size, headroom = mr->headroom;
        unsigned int chunks, chunks_per_page;
        u64 addr = mr->addr, size = mr->len;
-       int size_chk, err;
+       int err;
 
        if (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) {
                /* Strictly speaking we could support this, if:
@@ -382,8 +382,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
                        return -EINVAL;
        }
 
-       size_chk = chunk_size - headroom - XDP_PACKET_HEADROOM;
-       if (size_chk < 0)
+       if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
                return -EINVAL;
 
        umem->address = (unsigned long)addr;