| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Apr 2021 10:00:33 +0200
From: Magnus Karlsson <magnus.karlsson@...il.com>
To: Xuan Zhuo <xuanzhuo@...ux.alibaba.com>
Cc: bpf <bpf@...r.kernel.org>,
Björn Töpel <bjorn@...nel.org>,
Magnus Karlsson <magnus.karlsson@...el.com>,
Jonathan Lemon <jonathan.lemon@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Jesper Dangaard Brouer <hawk@...nel.org>,
John Fastabend <john.fastabend@...il.com>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
KP Singh <kpsingh@...nel.org>,
Maxim Mikityanskiy <maximmi@...lanox.com>,
Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH bpf] xsk: fix for xp_aligned_validate_desc() when len == chunk_size
On Tue, Apr 27, 2021 at 2:19 PM Xuan Zhuo <xuanzhuo@...ux.alibaba.com> wrote:
>
> When desc->len is equal to chunk_size, it is legal. But
> xp_aligned_validate_desc() got "chunk_end" by desc->addr + desc->len
> pointing to the next chunk during the check, which caused the check to
> fail.
Thanks Xuan for the fix. Off-by-one error. A classic unfortunately.
Think your fix also makes it easier to understand the code too, so good.
> Fixes: 35fcde7f8deb ("xsk: support for Tx")
> Fixes: bbff2f321a86 ("xsk: new descriptor addressing scheme")
Just did some quick research and it seems the bug was introduced in
the bbff2f321a86 commit above, not the first one 35fcde7f8deb. Or am I
mistaken?
> Fixes: 2b43470add8c ("xsk: Introduce AF_XDP buffer allocation API")
> Fixes: 26062b185eee ("xsk: Explicitly inline functions and move definitions")
And in these two, the code was moved around first to a new function in
2b43470add8c, then this function was moved to a new file in
26062b185eee. I believe documenting this in your commit message would
make life simpler for the nice people backporting this fix. Or is this
implicit in the multiple Fixes tags? Could someone with more
experience in these things comment please.
Thank you: Magnus
Acked-by: Magnus Karlsson <magnus.karlsson@...el.com>
> Signed-off-by: Xuan Zhuo <xuanzhuo@...ux.alibaba.com>
> ---
> net/xdp/xsk_queue.h | 7 +++----
> 1 file changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h
> index 2823b7c3302d..40f359bf2044 100644
> --- a/net/xdp/xsk_queue.h
> +++ b/net/xdp/xsk_queue.h
> @@ -128,13 +128,12 @@ static inline bool xskq_cons_read_addr_unchecked(struct xsk_queue *q, u64 *addr)
> static inline bool xp_aligned_validate_desc(struct xsk_buff_pool *pool,
> struct xdp_desc *desc)
> {
> - u64 chunk, chunk_end;
> + u64 chunk;
>
> - chunk = xp_aligned_extract_addr(pool, desc->addr);
> - chunk_end = xp_aligned_extract_addr(pool, desc->addr + desc->len);
> - if (chunk != chunk_end)
> + if (desc->len > pool->chunk_size)
> return false;
>
> + chunk = xp_aligned_extract_addr(pool, desc->addr);
> if (chunk >= pool->addrs_cnt)
> return false;
>
> --
> 2.31.0
>
Powered by blists - more mailing lists