Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2835888pxv; Mon, 12 Jul 2021 03:08:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy4CxwA95CtPVO/p57d4RTGsJbc8rcncP197xJkZk0eqNSnLGeLkf0t1vXOf/Wd5Nj7ldmZ X-Received: by 2002:a5d:8b8b:: with SMTP id p11mr39553655iol.77.1626084494759; Mon, 12 Jul 2021 03:08:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626084494; cv=none; d=google.com; s=arc-20160816; b=tvHnunns6ANbQe1W1J50+tJY3xv0vIwpDYoOfItF/TSAq0CasN0hKOwMXayBkqtE71 V9s5vB+6TSzCewLDCu1kqZdssXTP4rSz3OFTVDI4LaXPHO1e1EbzssdQu72+s3YXFEbs 0YKTEzidPqpZDBnDKfq0yTxsTa46/3w16X6tVBx4ZKmzfzCr+nrMXhJGn7KhV+zGr8H+ wkYaGEKiGxbfZkP+AhIV0oPRCLmv285CWhOk1EogFccAoaC2xncioJbG4ODi3HjyQxml 41qovCj0RbbwKJ/d4raLiPtqEYQRoNFCA+3F95ZbAr8KZEpcAw9KyK2OhzVjetR0eR7J DCMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=owva/L1CUZXPVpfOFRElUa0uev3ENBZffae4YPUVmeM=; b=KnsxzJGC6YrNgmGnTOPYcW4ZeqyqCTUlVe36IumVPLIbPKNBxhasgaoaOY9My6ledZ uo0iAu23ugUInEo7bTZgpWD7g2fpR8dNE7oFqlvadDc8aJmbUY6jlpqE0/FTQFzC6X6F +WUSZHLEkSEuAQXQVZrjjQnvFS8W3Z64w9mCPxdQFYNdr5t6lm6k69bGEQ4qfGQyb3I0 4h/OguR1UeUSzpAtwpy1J4fC/EZCSVprHp2Wf5hrqfEer+jfAAPg/U22Rw2lrXxBs8gu 9+8A1jiZXjBSWnH5S22jSxBsj9sJ8RwfvEZG4HlF2znWtTDbHxxwwsO8qM7NtOMGkkKf u71g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VRVtJ8WP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s18si13271981jao.15.2021.07.12.03.08.03; Mon, 12 Jul 2021 03:08:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VRVtJ8WP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350450AbhGLHvA (ORCPT + 99 others); Mon, 12 Jul 2021 03:51:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:48498 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242898AbhGLHQe (ORCPT ); Mon, 12 Jul 2021 03:16:34 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2A266613F4; Mon, 12 Jul 2021 07:13:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626073989; bh=8+rRPFj3Ox44Tpgb+toN5X1rm9q9dgE8IUckF0MXjaY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VRVtJ8WPT3bahsXqb/B3M81+pMU2Wt+Z/BWATnRkytRXwZdfGr0Pl7sVsB/Sn3HqR KKKshq0FeQBF5Xmvw/tX5SyZmOXCLpbEqGFrrToxgBtYFakxSgknqG/a/fasjeQrFi OYzSzSGqlLKbWf5VUtd8e5ooKEvEqxqD1F7IGYqs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Magnus Karlsson , Daniel Borkmann , Xuan Zhuo , =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , Sasha Levin Subject: [PATCH 5.12 426/700] xsk: Fix broken Tx ring validation Date: Mon, 12 Jul 2021 08:08:29 +0200 Message-Id: <20210712061021.724473680@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210712060924.797321836@linuxfoundation.org> References: <20210712060924.797321836@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Magnus Karlsson [ Upstream commit f654fae47e83e56b454fbbfd0af0a4f232e356d6 ] Fix broken Tx ring validation for AF_XDP. The commit under the Fixes tag, fixed an off-by-one error in the validation but introduced another error. Descriptors are now let through even if they straddle a chunk boundary which they are not allowed to do in aligned mode. Worse is that they are let through even if they straddle the end of the umem itself, tricking the kernel to read data outside the allowed umem region which might or might not be mapped at all. Fix this by reintroducing the old code, but subtract the length by one to fix the off-by-one error that the original patch was addressing. The test chunk != chunk_end makes sure packets do not straddle chunk boundraries. Note that packets of zero length are allowed in the interface, therefore the test if the length is non-zero. Fixes: ac31565c2193 ("xsk: Fix for xp_aligned_validate_desc() when len == chunk_size") Signed-off-by: Magnus Karlsson Signed-off-by: Daniel Borkmann Reviewed-by: Xuan Zhuo Acked-by: Björn Töpel Link: https://lore.kernel.org/bpf/20210618075805.14412-1-magnus.karlsson@gmail.com Signed-off-by: Sasha Levin --- net/xdp/xsk_queue.h | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h index 40f359bf2044..35938dfa784d 100644 --- a/net/xdp/xsk_queue.h +++ b/net/xdp/xsk_queue.h @@ -128,12 +128,15 @@ static inline bool xskq_cons_read_addr_unchecked(struct xsk_queue *q, u64 *addr) static inline bool xp_aligned_validate_desc(struct xsk_buff_pool *pool, struct xdp_desc *desc) { - u64 chunk; - - if (desc->len > pool->chunk_size) - return false; + u64 chunk, chunk_end; chunk = xp_aligned_extract_addr(pool, desc->addr); + if (likely(desc->len)) { + chunk_end = xp_aligned_extract_addr(pool, desc->addr + desc->len - 1); + if (chunk != chunk_end) + return false; + } + if (chunk >= pool->addrs_cnt) return false; -- 2.30.2