diff mbox series

xsk: fix out of boundary write in __xsk_rcv_memcpy

Message ID 1585813930-19712-1-git-send-email-lirongqing@baidu.com
State Accepted
Delegated to: BPF Maintainers
Headers show
Series xsk: fix out of boundary write in __xsk_rcv_memcpy | expand

Commit Message

Li RongQing April 2, 2020, 7:52 a.m. UTC 
first_len is remainder of first page, if write size is
larger than it, out of page boundary write will happen

Fixes: c05cd3645814 "(xsk: add support to allow unaligned chunk placement)"
Signed-off-by: Li RongQing <lirongqing@baidu.com>
---
 net/xdp/xsk.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Jonathan Lemon April 2, 2020, 10:20 p.m. UTC | #1 
On 2 Apr 2020, at 0:52, Li RongQing wrote:

> first_len is remainder of first page, if write size is
> larger than it, out of page boundary write will happen
>
> Fixes: c05cd3645814 "(xsk: add support to allow unaligned chunk placement)"
> Signed-off-by: Li RongQing <lirongqing@baidu.com>

Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Björn Töpel April 3, 2020, 8:29 a.m. UTC | #2 
On Fri, 3 Apr 2020 at 00:22, Jonathan Lemon <jonathan.lemon@gmail.com> wrote:
>
> On 2 Apr 2020, at 0:52, Li RongQing wrote:
>
> > first_len is remainder of first page, if write size is
> > larger than it, out of page boundary write will happen
> >
> > Fixes: c05cd3645814 "(xsk: add support to allow unaligned chunk placement)"
> > Signed-off-by: Li RongQing <lirongqing@baidu.com>
>
> Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>

Good catch!
Acked-by: Björn Töpel <bjorn.topel@intel.com>
Daniel Borkmann April 6, 2020, 8:12 p.m. UTC | #3 
On 4/3/20 10:29 AM, Björn Töpel wrote:
> On Fri, 3 Apr 2020 at 00:22, Jonathan Lemon <jonathan.lemon@gmail.com> wrote:
>> On 2 Apr 2020, at 0:52, Li RongQing wrote:
>>
>>> first_len is remainder of first page, if write size is
>>> larger than it, out of page boundary write will happen
>>>
>>> Fixes: c05cd3645814 "(xsk: add support to allow unaligned chunk placement)"
>>> Signed-off-by: Li RongQing <lirongqing@baidu.com>
>>
>> Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
> 
> Good catch!
> Acked-by: Björn Töpel <bjorn.topel@intel.com>

Applied, thanks!

Björn, Magnus, others, would be really valuable to have a proper kselftest suite
in BPF for covering everything xsk related, including such corner cases as Li fixed
here, wdyt? ;-)

Thanks,
Daniel
Björn Töpel April 7, 2020, 4:35 a.m. UTC | #4 
On Mon, 6 Apr 2020 at 22:13, Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 4/3/20 10:29 AM, Björn Töpel wrote:
> > On Fri, 3 Apr 2020 at 00:22, Jonathan Lemon <jonathan.lemon@gmail.com> wrote:
> >> On 2 Apr 2020, at 0:52, Li RongQing wrote:
> >>
> >>> first_len is remainder of first page, if write size is
> >>> larger than it, out of page boundary write will happen
> >>>
> >>> Fixes: c05cd3645814 "(xsk: add support to allow unaligned chunk placement)"
> >>> Signed-off-by: Li RongQing <lirongqing@baidu.com>
> >>
> >> Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
> >
> > Good catch!
> > Acked-by: Björn Töpel <bjorn.topel@intel.com>
>
> Applied, thanks!
>
> Björn, Magnus, others, would be really valuable to have a proper kselftest suite
> in BPF for covering everything xsk related, including such corner cases as Li fixed
> here, wdyt? ;-)
>

Indeed. It's *very much* overdue. :-(


Björn

> Thanks,
> Daniel
diff mbox series

Patch

diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 356f90e4522b..c350108aa38d 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -131,8 +131,9 @@  static void __xsk_rcv_memcpy(struct xdp_umem *umem, u64 addr, void *from_buf,
 		u64 page_start = addr & ~(PAGE_SIZE - 1);
 		u64 first_len = PAGE_SIZE - (addr - page_start);
 
-		memcpy(to_buf, from_buf, first_len + metalen);
-		memcpy(next_pg_addr, from_buf + first_len, len - first_len);
+		memcpy(to_buf, from_buf, first_len);
+		memcpy(next_pg_addr, from_buf + first_len,
+		       len + metalen - first_len);
 
 		return;
 	}