| Message ID | 158634678679.707275.5039642404868230051.stgit@firesoul |
|---|---|
| State | RFC |
| Delegated to: | BPF Maintainers |
| Headers | show |
| Series | [RFC,v2,01/33] xdp: add frame size to xdp_buff | expand |
From: Jesper Dangaard Brouer <brouer@redhat.com> Date: Wed, 08 Apr 2020 13:53:06 +0200 > @@ -3445,6 +3445,11 @@ BPF_CALL_2(bpf_xdp_adjust_tail, struct xdp_buff *, xdp, int, offset) > if (unlikely(data_end < xdp->data + ETH_HLEN)) > return -EINVAL; > > + /* Clear memory area on grow, can contain uninit kernel memory */ > + if (offset > 0) { > + memset(xdp->data_end, 0, offset); > + } Single statement basic blocks should elide curly braces.
On Wed, 08 Apr 2020 14:49:14 -0700 (PDT) David Miller <davem@davemloft.net> wrote: > From: Jesper Dangaard Brouer <brouer@redhat.com> > Date: Wed, 08 Apr 2020 13:53:06 +0200 > > > @@ -3445,6 +3445,11 @@ BPF_CALL_2(bpf_xdp_adjust_tail, struct xdp_buff *, xdp, int, offset) > > if (unlikely(data_end < xdp->data + ETH_HLEN)) > > return -EINVAL; > > > > + /* Clear memory area on grow, can contain uninit kernel memory */ > > + if (offset > 0) { > > + memset(xdp->data_end, 0, offset); > > + } > > Single statement basic blocks should elide curly braces. Fixed
diff --git a/net/core/filter.c b/net/core/filter.c index 4d58a147eed0..a8674f2a0e24 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -3445,6 +3445,11 @@ BPF_CALL_2(bpf_xdp_adjust_tail, struct xdp_buff *, xdp, int, offset) if (unlikely(data_end < xdp->data + ETH_HLEN)) return -EINVAL; + /* Clear memory area on grow, can contain uninit kernel memory */ + if (offset > 0) { + memset(xdp->data_end, 0, offset); + } + xdp->data_end = data_end; return 0;
Clearing memory of tail when grow happens, because it is too easy to write a XDP_PASS program that extend the tail, which expose this memory to users that can run tcpdump. Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> --- net/core/filter.c | 5 +++++ 1 file changed, 5 insertions(+)