lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <17dcbb5af344c64488806ab2e291d4d7a0de3c51b8d9b0478bb1f0106a584530@mail.kernel.org>
Date: Wed, 14 Jan 2026 05:18:45 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: saiaunghlyanhtet2003@...il.com,bpf@...r.kernel.org
Cc: ast@...nel.org,daniel@...earbox.net,john.fastabend@...il.com,netdev@...r.kernel.org,saiaunghlyanhtet2003@...il.com,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [bpf-next,v2] bpf: cpumap: report queue_index to xdp_rxq_info

> diff --git a/drivers/net/veth.c b/drivers/net/veth.c
> index 14e6f2a2fb77..4a409802cdac 100644
> --- a/drivers/net/veth.c
> +++ b/drivers/net/veth.c
> @@ -648,6 +648,8 @@ static struct xdp_frame *veth_xdp_rcv_one(struct veth_rq *rq,
>
>  		xdp_convert_frame_to_buff(frame, xdp);
>  		xdp->rxq = &rq->xdp_rxq;
> +		/* Preserve original queue_index from frame */
> +		rq->xdp_rxq.queue_index = frame->queue_index;
                ^^^^^^^^^^^^^^^^^^^^^^^^

Unlike cpumap.c and devmap.c which use a stack-local rxq variable,
this writes to the persistent rq->xdp_rxq structure.

In veth_poll(), the code reads queue_index before calling veth_xdp_rcv():

    int queue_idx = rq->xdp_rxq.queue_index;
    ...
    peer_txq = peer_dev ? netdev_get_tx_queue(peer_dev, queue_idx) : NULL;
    ...
    done = veth_xdp_rcv(rq, budget, &bq, &stats);

After processing a frame from a device with many queues (e.g. queue 32),
the next poll will read the corrupted queue_index and pass it to
netdev_get_tx_queue(). If the peer device has fewer TX queues, this
causes an out-of-bounds access to dev->_tx[].

For comparison, cpumap.c uses a local variable:

    struct xdp_rxq_info rxq = {};
    ...
    rxq.queue_index = xdpf->queue_index;

Should veth also use a local rxq variable like cpumap and devmap do,
rather than modifying the persistent rq->xdp_rxq?

> [ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20983017884

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ