lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Feb 2022 15:23:32 -0800 From: Stanislav Fomichev <sdf@...gle.com> To: netdev@...r.kernel.org, bpf@...r.kernel.org Cc: ast@...nel.org, daniel@...earbox.net, andrii@...nel.org, Stanislav Fomichev <sdf@...gle.com>, Lorenzo Bianconi <lorenzo@...nel.org> Subject: [PATCH bpf-next] bpf: test_run: Fix overflow in xdp frags bpf_test_finish Syzkaller reports another issue: WARNING: CPU: 0 PID: 10775 at include/linux/thread_info.h:230 check_copy_size include/linux/thread_info.h:230 [inline] WARNING: CPU: 0 PID: 10775 at include/linux/thread_info.h:230 copy_to_user include/linux/uaccess.h:199 [inline] WARNING: CPU: 0 PID: 10775 at include/linux/thread_info.h:230 bpf_test_finish.isra.0+0x4b2/0x680 net/bpf/test_run.c:171 This can happen when the userspace buffer is smaller than head+frags. Return ENOSPC in this case. Fixes: 7855e0db150a ("bpf: test_run: add xdp_shared_info pointer in bpf_test_finish signature") Cc: Lorenzo Bianconi <lorenzo@...nel.org> Signed-off-by: Stanislav Fomichev <sdf@...gle.com> --- net/bpf/test_run.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c index f08034500813..eb129e48f90b 100644 --- a/net/bpf/test_run.c +++ b/net/bpf/test_run.c @@ -150,6 +150,11 @@ static int bpf_test_finish(const union bpf_attr *kattr, if (data_out) { int len = sinfo ? copy_size - sinfo->xdp_frags_size : copy_size; + if (len < 0) { + err = -ENOSPC; + goto out; + } + if (copy_to_user(data_out, data, len)) goto out; -- 2.35.1.574.g5d30c73bfb-goog
Powered by blists - more mailing lists