lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAGF5Uf5tRdt0Bpky+53AursJNAj1Q6-+0jkm2SQxxK-eAv=Nzw@mail.gmail.com>
Date: Wed, 14 Jan 2026 15:18:13 +0900
From: Sai Aung Hlyan Htet <saiaunghlyanhtet2003@...il.com>
To: bot+bpf-ci@...nel.org
Cc: bpf@...r.kernel.org, ast@...nel.org, daniel@...earbox.net, 
	john.fastabend@...il.com, netdev@...r.kernel.org, andrii@...nel.org, 
	martin.lau@...nel.org, eddyz87@...il.com, yonghong.song@...ux.dev, 
	clm@...a.com, ihor.solodrai@...ux.dev
Subject: Re: [bpf-next,v2] bpf: cpumap: report queue_index to xdp_rxq_info

That makes sense. Reverted the changes in veth.c in v3.

On Wed, Jan 14, 2026 at 2:18 PM <bot+bpf-ci@...nel.org> wrote:
>
> > diff --git a/drivers/net/veth.c b/drivers/net/veth.c
> > index 14e6f2a2fb77..4a409802cdac 100644
> > --- a/drivers/net/veth.c
> > +++ b/drivers/net/veth.c
> > @@ -648,6 +648,8 @@ static struct xdp_frame *veth_xdp_rcv_one(struct veth_rq *rq,
> >
> >               xdp_convert_frame_to_buff(frame, xdp);
> >               xdp->rxq = &rq->xdp_rxq;
> > +             /* Preserve original queue_index from frame */
> > +             rq->xdp_rxq.queue_index = frame->queue_index;
>                 ^^^^^^^^^^^^^^^^^^^^^^^^
>
> Unlike cpumap.c and devmap.c which use a stack-local rxq variable,
> this writes to the persistent rq->xdp_rxq structure.
>
> In veth_poll(), the code reads queue_index before calling veth_xdp_rcv():
>
>     int queue_idx = rq->xdp_rxq.queue_index;
>     ...
>     peer_txq = peer_dev ? netdev_get_tx_queue(peer_dev, queue_idx) : NULL;
>     ...
>     done = veth_xdp_rcv(rq, budget, &bq, &stats);
>
> After processing a frame from a device with many queues (e.g. queue 32),
> the next poll will read the corrupted queue_index and pass it to
> netdev_get_tx_queue(). If the peer device has fewer TX queues, this
> causes an out-of-bounds access to dev->_tx[].
>
> For comparison, cpumap.c uses a local variable:
>
>     struct xdp_rxq_info rxq = {};
>     ...
>     rxq.queue_index = xdpf->queue_index;
>
> Should veth also use a local rxq variable like cpumap and devmap do,
> rather than modifying the persistent rq->xdp_rxq?
>
> > [ ... ]
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20983017884

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ