| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220228232332.458871-1-sdf@google.com>
Date: Mon, 28 Feb 2022 15:23:32 -0800
From: Stanislav Fomichev <sdf@...gle.com>
To: netdev@...r.kernel.org, bpf@...r.kernel.org
Cc: ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
Stanislav Fomichev <sdf@...gle.com>,
Lorenzo Bianconi <lorenzo@...nel.org>
Subject: [PATCH bpf-next] bpf: test_run: Fix overflow in xdp frags bpf_test_finish
Syzkaller reports another issue:
WARNING: CPU: 0 PID: 10775 at include/linux/thread_info.h:230
check_copy_size include/linux/thread_info.h:230 [inline]
WARNING: CPU: 0 PID: 10775 at include/linux/thread_info.h:230
copy_to_user include/linux/uaccess.h:199 [inline]
WARNING: CPU: 0 PID: 10775 at include/linux/thread_info.h:230
bpf_test_finish.isra.0+0x4b2/0x680 net/bpf/test_run.c:171
This can happen when the userspace buffer is smaller than head+frags.
Return ENOSPC in this case.
Fixes: 7855e0db150a ("bpf: test_run: add xdp_shared_info pointer in bpf_test_finish signature")
Cc: Lorenzo Bianconi <lorenzo@...nel.org>
Signed-off-by: Stanislav Fomichev <sdf@...gle.com>
---
net/bpf/test_run.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index f08034500813..eb129e48f90b 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -150,6 +150,11 @@ static int bpf_test_finish(const union bpf_attr *kattr,
if (data_out) {
int len = sinfo ? copy_size - sinfo->xdp_frags_size : copy_size;
+ if (len < 0) {
+ err = -ENOSPC;
+ goto out;
+ }
+
if (copy_to_user(data_out, data, len))
goto out;
--
2.35.1.574.g5d30c73bfb-goog
Powered by blists - more mailing lists