Skip to content

Commit 99e3a23

Browse files
magnus-karlssonborkmann
authored andcommitted
xsk: Add missing check on user supplied headroom size
Add a check that the headroom cannot be larger than the available space in the chunk. In the current code, a malicious user can set the headroom to a value larger than the chunk size minus the fixed XDP headroom. That way packets with a length larger than the supported size in the umem could get accepted and result in an out-of-bounds write. Fixes: c0c77d8 ("xsk: add user memory registration support sockopt") Reported-by: Bui Quang Minh <minhquangbui99@gmail.com> Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://bugzilla.kernel.org/show_bug.cgi?id=207225 Link: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com
1 parent 89f33dc commit 99e3a23

File tree

1 file changed

+2
-3
lines changed

1 file changed

+2
-3
lines changed

Diff for: net/xdp/xdp_umem.c

+2-3
Original file line numberDiff line numberDiff line change
@@ -343,7 +343,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
343343
u32 chunk_size = mr->chunk_size, headroom = mr->headroom;
344344
unsigned int chunks, chunks_per_page;
345345
u64 addr = mr->addr, size = mr->len;
346-
int size_chk, err;
346+
int err;
347347

348348
if (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) {
349349
/* Strictly speaking we could support this, if:
@@ -382,8 +382,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
382382
return -EINVAL;
383383
}
384384

385-
size_chk = chunk_size - headroom - XDP_PACKET_HEADROOM;
386-
if (size_chk < 0)
385+
if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
387386
return -EINVAL;
388387

389388
umem->address = (unsigned long)addr;

0 commit comments

Comments
 (0)