lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 20 Aug 2020 09:56:05 +0200
From:   Lorenzo Bianconi <lorenzo@...nel.org>
To:     Jesper Dangaard Brouer <brouer@...hat.com>
Cc:     netdev@...r.kernel.org, bpf@...r.kernel.org, davem@...emloft.net,
        lorenzo.bianconi@...hat.com, echaudro@...hat.com,
        sameehj@...zon.com, kuba@...nel.org
Subject: Re: [PATCH net-next 4/6] xdp: add multi-buff support to
 xdp_return_{buff/frame}

> On Wed, 19 Aug 2020 15:13:49 +0200
> Lorenzo Bianconi <lorenzo@...nel.org> wrote:
> 
> > diff --git a/net/core/xdp.c b/net/core/xdp.c
> > index 884f140fc3be..006b24b5d276 100644
> > --- a/net/core/xdp.c
> > +++ b/net/core/xdp.c
> > @@ -370,19 +370,55 @@ static void __xdp_return(void *data, struct xdp_mem_info *mem, bool napi_direct)
> >  
> >  void xdp_return_frame(struct xdp_frame *xdpf)
> >  {
> > +	struct skb_shared_info *sinfo;
> > +	int i;
> > +
> >  	__xdp_return(xdpf->data, &xdpf->mem, false);
> 
> There is a use-after-free race here.  The xdpf->data contains the
> shared_info (xdp_get_shared_info_from_frame(xdpf)). Thus you cannot
> free/return the page and use this data area below.

right, thx for pointing this out. I will fix it in v2.

Regards,
Lorenzo

> 
> > +	if (!xdpf->mb)
> > +		return;
> > +
> > +	sinfo = xdp_get_shared_info_from_frame(xdpf);
> > +	for (i = 0; i < sinfo->nr_frags; i++) {
> > +		struct page *page = skb_frag_page(&sinfo->frags[i]);
> > +
> > +		__xdp_return(page_address(page), &xdpf->mem, false);
> > +	}
> >  }
> >  EXPORT_SYMBOL_GPL(xdp_return_frame);
> >  
> >  void xdp_return_frame_rx_napi(struct xdp_frame *xdpf)
> >  {
> > +	struct skb_shared_info *sinfo;
> > +	int i;
> > +
> >  	__xdp_return(xdpf->data, &xdpf->mem, true);
> 
> Same issue.
> 
> > +	if (!xdpf->mb)
> > +		return;
> > +
> > +	sinfo = xdp_get_shared_info_from_frame(xdpf);
> > +	for (i = 0; i < sinfo->nr_frags; i++) {
> > +		struct page *page = skb_frag_page(&sinfo->frags[i]);
> > +
> > +		__xdp_return(page_address(page), &xdpf->mem, true);
> > +	}
> >  }
> >  EXPORT_SYMBOL_GPL(xdp_return_frame_rx_napi);
> >  
> >  void xdp_return_buff(struct xdp_buff *xdp)
> >  {
> > +	struct skb_shared_info *sinfo;
> > +	int i;
> > +
> >  	__xdp_return(xdp->data, &xdp->rxq->mem, true);
> 
> Same issue.
> 
> > +	if (!xdp->mb)
> > +		return;
> > +
> > +	sinfo = xdp_get_shared_info_from_buff(xdp);
> > +	for (i = 0; i < sinfo->nr_frags; i++) {
> > +		struct page *page = skb_frag_page(&sinfo->frags[i]);
> > +
> > +		__xdp_return(page_address(page), &xdp->rxq->mem, true);
> > +	}
> >  }
> 
> 
> 
> -- 
> Best regards,
>   Jesper Dangaard Brouer
>   MSc.CS, Principal Kernel Engineer at Red Hat
>   LinkedIn: http://www.linkedin.com/in/brouer
> 

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists