[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Apr 2018 11:04:08 +0200
From: Lorenz Bauer <lmb@...udflare.com>
To: ast@...nel.org, daniel@...earbox.net
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: PROBLEM: Using BPF_PROG_TEST_RUN with data_out != NULL is unsafe
Hello,
I’ve encountered an issue when using BPF_PROG_TEST_RUN and capturing the output.
The kernel copies data into user space without checking the length of
the destination buffer.
In bpf_test_finish(), size is the amount of data in the XDP buffer /
skb after the program is run. This can be larger than data_size_in due
to bpf_xdp_adjust_head() and friends.
bpf_test_finish doesn’t clamp size to data_size_out, which is what I
was expecting.
What is the correct way to use this interface?
Best,
Lorenz
--
Lorenz Bauer | Systems Engineer
25 Lavington St., London SE1 0NZ
www.cloudflare.com
Powered by blists - more mailing lists