lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 25 May 2020 09:54:59 +0200
From:   Björn Töpel <>
To:     Minh Bùi Quang <>,
        Magnus Karlsson <>
Subject: Re: XDP socket DOS bug

On 2020-05-20 17:16, Minh Bùi Quang wrote:
> Dear sir,
> In function xdp_umem_reg (net/xdp/xdp_umem.c), there is an initialization
>           //size is u64
>           umem->npgs = size / PAGE_SIZE;
> When look at the definition of xdp_umem struct, I see
>          struct xdp_umem {
>                   .....
>                   u32 npgs;
>                   .....
>          }
> npgs is u32, however the result of division can be bigger than u32
> (there is no limit in size which is u64), so the result can be
> truncated when assigned to npgs. For example, size is 0x1 000 0000
> 8000, result of division is 0x1 0000 0008, and the npgs is truncated
> to 0x8.

Apologies for the slow response.

Nice catch! I'll cook a patch to address the overflow!


> ======
> In the process of analyzing the consequence of this bug, I found that
> only npgs pages get mapped and the size is used to initialize
> queue->size. queue->size is used to validate the address provided in
> user-supplied xdp_desc in tx path (xdp_generic_xmit). In
> xdp_generic_xmit the address provided passed the size check and reach
> xdp_umem_get_data. That address is then used as and index to
> umem->pages to get real virtual address. This leads to an out of bound
> read in umem->pages and if the attacker spray some addresses, he can
> use this bug to get arbitrary read.
> However, I cannot see any ways to intercept the xdp packet because
> that packet is sent to bpf program by design. Therefore, I cannot get
> info leak using this bug but I can craft a poc to get kernel panic on
> normal user as long as CONFIG_USER_NS=y.
> Regards,
> Bui Quang Minh

Powered by blists - more mailing lists