lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9cb42173-e394-4c5b-aef2-fe9ce737689e@gmail.com>
Date: Thu, 24 Apr 2025 21:45:15 +0700
From: Bui Quang Minh <minhquangbui99@...il.com>
To: Alexander Lobakin <aleksander.lobakin@...el.com>
Cc: netdev@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
 Daniel Borkmann <daniel@...earbox.net>, "David S. Miller"
 <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
 Jesper Dangaard Brouer <hawk@...nel.org>,
 John Fastabend <john.fastabend@...il.com>, Eric Dumazet
 <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>,
 Simon Horman <horms@...nel.org>,
 Maciej Fijalkowski <maciej.fijalkowski@...el.com>, bpf@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] xsk: respect the offsets when copying frags

On 4/24/25 21:02, Alexander Lobakin wrote:
> From: Bui Quang Minh <minhquangbui99@...il.com>
> Date: Wed, 23 Apr 2025 17:10:47 +0700
>
>> Add the missing offsets when copying frags in xdp_copy_frags_from_zc().
>>
>> Fixes: 560d958c6c68 ("xsk: add generic XSk &xdp_buff -> skb conversion")
>> Signed-off-by: Bui Quang Minh <minhquangbui99@...il.com>
>> ---
>>   net/core/xdp.c | 7 ++++---
>>   1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/net/core/xdp.c b/net/core/xdp.c
>> index f86eedad586a..a723dc301f94 100644
>> --- a/net/core/xdp.c
>> +++ b/net/core/xdp.c
>> @@ -697,7 +697,8 @@ static noinline bool xdp_copy_frags_from_zc(struct sk_buff *skb,
>>   	nr_frags = xinfo->nr_frags;
>>   
>>   	for (u32 i = 0; i < nr_frags; i++) {
>> -		u32 len = skb_frag_size(&xinfo->frags[i]);
>> +		const skb_frag_t *frag = &xinfo->frags[i];
>> +		u32 len = skb_frag_size(frag);
>>   		u32 offset, truesize = len;
>>   		netmem_ref netmem;
>>   
>> @@ -707,8 +708,8 @@ static noinline bool xdp_copy_frags_from_zc(struct sk_buff *skb,
>>   			return false;
>>   		}
>>   
>> -		memcpy(__netmem_address(netmem),
>> -		       __netmem_address(xinfo->frags[i].netmem),
>> +		memcpy(__netmem_address(netmem) + offset,
>> +		       __netmem_address(frag->netmem) + skb_frag_off(frag),
>>   		       LARGEST_ALIGN(len));
>>   		__skb_fill_netmem_desc_noacc(sinfo, i, netmem, offset, len);
> Incorrect fix.
>
> page_pool_dev_alloc_netmem() allocates a buffer of skb_frag_size() len,
> but then you pass offset when copying, which may lead to access beyond
> the end of the buffer.
>
> I know that my code here is incorrect as well, but the idea was to
> allocate only skb_frag_size() and copy the actual payload without any
> offset to the new buffer. So, you need to pass the offset only to the
> second argument of memcpy() and then pass 0 as @offset to
> __skb_fill_netmem_desc_noacc().

I'm not quite familiar with the page_pool API so I might be wrong. 
AFAICS, the netmem_ref is just a wrapper around struct page now. 
page_pool_dev_alloc_netmem(pp, &offset, &truesize) returns the allocated 
page for our request but we must use the returned offset to access our 
allocated space. The start of page may be currently used by other user.

That's my understanding when looking at this code path

page_pool_dev_alloc_netmem
-> page_pool_alloc_netmem
     -> page_pool_alloc_frag_netmem <- specifically this function

Thanks,
Quang Minh.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ