[bpf] xsk: add missing check on user supplied headroom size

Message ID	1586849715-23490-1-git-send-email-magnus.karlsson@intel.com
State	New
Headers	show Return-Path: <SRS0=FyVA=56=vger.kernel.org=netdev-owner@kernel.org> IronPort-SDR: k5fNYDTeAspv0i2Bqbsz9BgKcTp6FpfKArqgKsYbeVlrlQ7sda6NcmZMwrVbKye8i4FvzuBM3f w/10PyaypzzQ== IronPort-SDR: DhwHoOx9y9YWQ8eYEuTvIITKwLSX5BCtXGBFP9+IfWvq09A7k5hpWlv7KQ/WZgNcXRKcF+XPfj 4nywVsLFYcrg== From: Magnus Karlsson <magnus.karlsson@intel.com> To: magnus.karlsson@intel.com, bjorn.topel@intel.com, ast@kernel.org, daniel@iogearbox.net, netdev@vger.kernel.org, jonathan.lemon@gmail.com Cc: minhquangbui99@gmail.com, bpf@vger.kernel.org Subject: [PATCH bpf] xsk: add missing check on user supplied headroom size Date: Tue, 14 Apr 2020 09:35:15 +0200 Message-Id: <1586849715-23490-1-git-send-email-magnus.karlsson@intel.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	[bpf] xsk: add missing check on user supplied headroom size \| expand [bpf] xsk: add missing check on user supplied headroom size

Message ID

1586849715-23490-1-git-send-email-magnus.karlsson@intel.com

State

New

Headers

IronPort-SDR: k5fNYDTeAspv0i2Bqbsz9BgKcTp6FpfKArqgKsYbeVlrlQ7sda6NcmZMwrVbKye8i4FvzuBM3f
	w/10PyaypzzQ==
IronPort-SDR: DhwHoOx9y9YWQ8eYEuTvIITKwLSX5BCtXGBFP9+IfWvq09A7k5hpWlv7KQ/WZgNcXRKcF+XPfj
	4nywVsLFYcrg==
From: Magnus Karlsson <magnus.karlsson@intel.com>
To: magnus.karlsson@intel.com, bjorn.topel@intel.com, ast@kernel.org,
	daniel@iogearbox.net, netdev@vger.kernel.org, jonathan.lemon@gmail.com
Cc: minhquangbui99@gmail.com, bpf@vger.kernel.org
Subject: [PATCH bpf] xsk: add missing check on user supplied headroom size
Date: Tue, 14 Apr 2020 09:35:15 +0200
Message-Id: <1586849715-23490-1-git-send-email-magnus.karlsson@intel.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

[bpf] xsk: add missing check on user supplied headroom size | expand

Commit Message

Magnus Karlsson April 14, 2020, 7:35 a.m. UTC

Add a check that the headroom cannot be larger than the available
space in the chunk. In the current code, a malicious user can set the
headroom to a value larger than the chunk size minus the fixed XDP
headroom. That way packets with a length larger than the supported
size in the umem could get accepted and result in an out-of-bounds
write.

Fixes: c0c77d8fb787 ("xsk: add user memory registration support sockopt")
Reported-by: Bui Quang Minh <minhquangbui99@gmail.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=207225
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
---
 net/xdp/xdp_umem.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
index fa7bb5e..ed7a606 100644
--- a/net/xdp/xdp_umem.c
+++ b/net/xdp/xdp_umem.c
@@ -343,7 +343,7 @@  static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
 	u32 chunk_size = mr->chunk_size, headroom = mr->headroom;
 	unsigned int chunks, chunks_per_page;
 	u64 addr = mr->addr, size = mr->len;
-	int size_chk, err;
+	int err;
 
 	if (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) {
 		/* Strictly speaking we could support this, if:
@@ -382,8 +382,7 @@  static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
 			return -EINVAL;
 	}
 
-	size_chk = chunk_size - headroom - XDP_PACKET_HEADROOM;
-	if (size_chk < 0)
+	if (headroom >= chunk_size - XDP_PACKET_HEADROOM)
 		return -EINVAL;
 
 	umem->address = (unsigned long)addr;

[bpf] xsk: add missing check on user supplied headroom size

Commit Message

Patch