Received: by 2002:a17:90a:bc8d:0:0:0:0 with SMTP id x13csp1572309pjr; Mon, 18 May 2020 16:44:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy0aA6FXQr5jMGmnugiBAWG4rqt00abDexNHbbYvf45QbGtg9+y85vw62amStItTakbE9Cv X-Received: by 2002:a05:6402:357:: with SMTP id r23mr15535247edw.230.1589845493183; Mon, 18 May 2020 16:44:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589845493; cv=none; d=google.com; s=arc-20160816; b=FaQGy92czWxJWTFy6pvKH+I48R/VaG7wik4pEBq4aE3GofIY/mRgjtzPhAs3zk4fei X3ir4Bui1kwRTT7LF5gEfVSgpGSdCMLQ4PzXIIZSz0/nGuYTJmom68TnjDVgR5XSR5QX SLfH90OjOoHj/bQlnHD/tvRRcn4OIRxRSI6+Mt1VYQ80Eed3ZTLYSLuQVkV/GecyDSYU Y6KOyAJ/INRHF7PBK2vRSX8MB2g6lLkzjwqk+u1YTEV8wljpMtjBIdulp2ffePWRRyAZ YODRN2MOLb0iZw+x/dGcewOFna1r6/FuRQnkC4xfJ3907eo4MyduNpNckuB127sxdYVM ctuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CJYyN2fscyiHWV2zFkVWJ5AzHpt2qKuYOgEScvq3r+I=; b=GKimc+54xgj9iUC5SHTVhG2uGYQ/+Jmwe2rIe2qWe1Flbxc+9OWz3Ww0l44UtAoJLp C9mLhdPboNmDyX00Kj+/Un++SFQT8dQnMnj6nOTzrjv9ahCg5X6nYPzwoyddpIsIX9BC cKu5BrGQ8hAkWD0GTiEZ9CSTxxAMWIriefB10dE/lsneLxFC70GWEaQEatLHJw9t2COh el0aRtiTuv4HGEqzyLvShKzIIi/GIOw1Xyb1GpySez+dCBsz8NclegxIcjTnFQ17aPUL DiHvQY0bnSMGWMpvU/8apHguIXQmvcBdEg9KIWd4tmIAeDCcdpm6q+qnrUJSTxS9acp3 t2kA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=l4rnuiE1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l2si6756513edi.237.2020.05.18.16.44.30; Mon, 18 May 2020 16:44:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=l4rnuiE1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731065AbgERR4N (ORCPT + 99 others); Mon, 18 May 2020 13:56:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:33902 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731600AbgERR4K (ORCPT ); Mon, 18 May 2020 13:56:10 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 995B320674; Mon, 18 May 2020 17:56:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589824570; bh=SUj2naAkwmQKm48N3wkhavOBfjGOL4aAvxca/OACGLA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=l4rnuiE1+WQhDz+aAHqHxMob5QW9RMV9w+QRLuGMWcY4Ll2tduZhke27MQTq0hxS9 fTuLnGgd741a+U3enpK+Vix6aJPhiMbum2gvCaKvN/gaZ7IrbGFFYHp+ffN9fLBW2X PtdNEFup7WSEUHEGSKkq9M2HW7iGOhE0C1j61t78= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, John Fastabend , Daniel Borkmann , Jakub Sitnicki , Martin KaFai Lau , Sasha Levin Subject: [PATCH 5.4 064/147] bpf, sockmap: msg_pop_data can incorrecty set an sge length Date: Mon, 18 May 2020 19:36:27 +0200 Message-Id: <20200518173522.043577325@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200518173513.009514388@linuxfoundation.org> References: <20200518173513.009514388@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: John Fastabend [ Upstream commit 3e104c23816220919ea1b3fd93fabe363c67c484 ] When sk_msg_pop() is called where the pop operation is working on the end of a sge element and there is no additional trailing data and there _is_ data in front of pop, like the following case, |____________a_____________|__pop__| We have out of order operations where we incorrectly set the pop variable so that instead of zero'ing pop we incorrectly leave it untouched, effectively. This can cause later logic to shift the buffers around believing it should pop extra space. The result is we have 'popped' more data then we expected potentially breaking program logic. It took us a while to hit this case because typically we pop headers which seem to rarely be at the end of a scatterlist elements but we can't rely on this. Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/158861288359.14306.7654891716919968144.stgit@john-Precision-5820-Tower Signed-off-by: Sasha Levin --- net/core/filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/filter.c b/net/core/filter.c index d59dbc88fef5d..f1f2304822e3b 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2590,8 +2590,8 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start, } pop = 0; } else if (pop >= sge->length - a) { - sge->length = a; pop -= (sge->length - a); + sge->length = a; } } -- 2.20.1