lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMB2axOsK+niZs38i7mjuuWcEUgJtPhoovsKHui3o=LvdraFnQ@mail.gmail.com>
Date: Mon, 5 Jan 2026 10:36:11 -0800
From: Amery Hung <ameryhung@...il.com>
To: Toke Høiland-Jørgensen <toke@...hat.com>
Cc: Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, 
	Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, 
	Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>, 
	Yonghong Song <yonghong.song@...ux.dev>, John Fastabend <john.fastabend@...il.com>, 
	KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>, 
	Jiri Olsa <jolsa@...nel.org>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, 
	Jesper Dangaard Brouer <hawk@...nel.org>, Yinhao Hu <dddddd@...t.edu.cn>, 
	Kaiyan Mei <M202472210@...t.edu.cn>, Eric Dumazet <edumazet@...gle.com>, 
	Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, bpf@...r.kernel.org, 
	netdev@...r.kernel.org
Subject: Re: [PATCH bpf 1/2] bpf, test_run: Subtract size of xdp_frame from
 allowed metadata size

On Mon, Jan 5, 2026 at 3:48 AM Toke Høiland-Jørgensen <toke@...hat.com> wrote:
>
> The xdp_frame structure takes up part of the XDP frame headroom,
> limiting the size of the metadata. However, in bpf_test_run, we don't
> take this into account, which makes it possible for userspace to supply
> a metadata size that is too large (taking up the entire headroom).
>
> If userspace supplies such a large metadata size in live packet mode,
> the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call
> will fail, after which packet transmission proceeds with an
> uninitialised frame structure, leading to the usual Bad Stuff.
>
> The commit in the Fixes tag fixed a related bug where the second check
> in xdp_update_frame_from_buff() could fail, but did not add any
> additional constraints on the metadata size. Complete the fix by adding
> an additional check on the metadata size. Reorder the checks slightly to
> make the logic clearer and add a comment.
>
> Link: https://lore.kernel.org/r/fa2be179-bad7-4ee3-8668-4903d1853461@hust.edu.cn
> Fixes: b6f1f780b393 ("bpf, test_run: Fix packet size check for live packet mode")
> Reported-by: Yinhao Hu <dddddd@...t.edu.cn>
> Reported-by: Kaiyan Mei <M202472210@...t.edu.cn>
> Signed-off-by: Toke Høiland-Jørgensen <toke@...hat.com>
> ---
>  net/bpf/test_run.c | 18 +++++++++++++-----
>  1 file changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> index 655efac6f133..e6c0ad204b92 100644
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -1294,8 +1294,6 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
>                         batch_size = NAPI_POLL_WEIGHT;
>                 else if (batch_size > TEST_XDP_MAX_BATCH)
>                         return -E2BIG;
> -
> -               headroom += sizeof(struct xdp_page_head);
>         } else if (batch_size) {
>                 return -EINVAL;
>         }
> @@ -1308,16 +1306,26 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
>                 /* There can't be user provided data before the meta data */
>                 if (ctx->data_meta || ctx->data_end > kattr->test.data_size_in ||
>                     ctx->data > ctx->data_end ||
> -                   unlikely(xdp_metalen_invalid(ctx->data)) ||
>                     (do_live && (kattr->test.data_out || kattr->test.ctx_out)))
>                         goto free_ctx;
> -               /* Meta data is allocated from the headroom */
> -               headroom -= ctx->data;
>
>                 meta_sz = ctx->data;
> +               if (xdp_metalen_invalid(meta_sz) || meta_sz > headroom - sizeof(struct xdp_frame))
> +                       goto free_ctx;
> +
> +               /* Meta data is allocated from the headroom */
> +               headroom -= meta_sz;
>                 linear_sz = ctx->data_end;
>         }
>
> +       /* The xdp_page_head structure takes up space in each page, limiting the
> +         * size of the packet data; add the extra size to headroom here to make
> +         * sure it's accounted in the length checks below, but not in the
> +         * metadata size check above.
> +         */
> +        if (do_live)
> +               headroom += sizeof(struct xdp_page_head);
> +
>         max_linear_sz = PAGE_SIZE - headroom - tailroom;
>         linear_sz = min_t(u32, linear_sz, max_linear_sz);

The fix makes sense to me.

Reviewed-by: Amery Hung <ameryhung@...il.com>


>
> --
> 2.52.0
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ