Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2700925rwb; Fri, 11 Nov 2022 13:23:59 -0800 (PST) X-Google-Smtp-Source: AA0mqf4PPwTcdEsT3MMQ5aYmvYIS1sPrkhQ1REeaj+g9vfQnlQa6mPvFRVZmLQdDKl4l3UcFXc3J X-Received: by 2002:aa7:819a:0:b0:56b:e16d:b08 with SMTP id g26-20020aa7819a000000b0056be16d0b08mr4420552pfi.70.1668201839295; Fri, 11 Nov 2022 13:23:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668201839; cv=none; d=google.com; s=arc-20160816; b=yDcu8+5Wuu50n+9j8Gyn8hcvgy4UHIiVw47WP8jTOqqlfX065Po6fDgQReDFkoYSgB qy177zEMhPOwXas1fpg/dJj2VuSasS2T0YcOyCpsX0yHQqiEbecPfSFq645onR6kIU9X Q5luzbJB03AdxIv9kc+fffmTDpL1kCZDhI5ouU3/PBF0lPBXDW5nrwAQNfMhYzwSWNNl cDXNbZPZU22VW5leiHD1L3JPbFUwPvD8uzrQ+xgBG6ByAjknGAuY65M/4S1a4UIqALGK 5kd3XoO/jMVMmKsIqemWj9JGINfmrwCmDLwvzB3ozgebRpXhhmAi88nrkNawxloCUYQF mnTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=BnI7n9XZqmIR17w46t8MUJxKc1QyxlQoFQRbOEAeGo8=; b=UvEYPcGFfky7XG6fAQ0C9rIPtzoqPe81SktIXXlTMO2ZPp6kb7zbwUSxL8LHJxGP7b jf4HksXbTy5ahnoKjNb9A9WBtR+FvDV5v07f3uZvi1nQWb1ceVlBxa3IJWvlkDNwpRpP NX480nQmU1P8n/NUNB4mZJTyMvkptHmqTPYEeMvJGCEmr5/PAEeQvTuYiCQ18HsOYKHt +L+nexSW9jhxjxQy1+eVe7yTKF9SPOzijWB6cR9iNlTKfQ7cVFInbSXKBwAjgFNXnE5o CfzlgSc2ROduI3Qn1FogpZTjEsnuSeCIyG8hTFgv1fjwtv0/RJ0IG5qAq3XSWShohNrq w9tg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ghpI9XVf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u22-20020a056a00159600b0056b8ae6149csi2026606pfk.244.2022.11.11.13.23.48; Fri, 11 Nov 2022 13:23:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ghpI9XVf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234527AbiKKUp6 (ORCPT + 91 others); Fri, 11 Nov 2022 15:45:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37532 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234522AbiKKUp4 (ORCPT ); Fri, 11 Nov 2022 15:45:56 -0500 Received: from mail-pl1-x643.google.com (mail-pl1-x643.google.com [IPv6:2607:f8b0:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8BB18833A2; Fri, 11 Nov 2022 12:45:55 -0800 (PST) Received: by mail-pl1-x643.google.com with SMTP id g24so5121613plq.3; Fri, 11 Nov 2022 12:45:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=BnI7n9XZqmIR17w46t8MUJxKc1QyxlQoFQRbOEAeGo8=; b=ghpI9XVfAJyyM74p2KldKROpseFBFk3gc6WoZn3NY8JZd0SHq+m18oXuM/3J4ye5TX n3fDjzmj2Kqc2pZY9VqmaE7aNoYsh9A756wN+cKfWv48JlI0KSHwjkj56NSXAl+iGuaM hBti4WA3TPRIzbeijIY7FgCeFqlv4XPAatmwEyZTRhakGZy8FbEfiNrMjcoFGEyHzQM2 AahitdOsfddBSTP6fkwFEk7txIrX0MUVKoDzzPVl1xgcJkgaD9+1MrN8EUzUEj/HPTBX 91Z6dMetU1365RCsUQKPMko7wKdNksi0QyBGc65tobb4sFbfi2OX8/NwyeVKzE20QcWU W7ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=BnI7n9XZqmIR17w46t8MUJxKc1QyxlQoFQRbOEAeGo8=; b=MS6FJ4mXrKoKMFN79rvWp5OanxXZluc/YZ3mZU+NDafD0Rug4QBOj5wtrk6pnvsWWP RKQTzgRusgaAHFZq3FkZUl8nHXG7RXQsEptzHLY6qNh3jSqOgxlGtZ/5VPVB/82oBsBk rY0cfC5ZiIXx6K88ptYyqHDsb+S1+/oy1q3HckWXnovKpC4T8D0vcj+Qmu57+L4aeuW2 59+DgImYxpH3vVfrq9e4a9zpy/Xpn+OkqzOy3GHCvxp3yhPPx9lRxf2lcIdyTbQzzKRH NXyA99JnXhohLZq5P/luyUj9y8TXsIlPzNyD5qYVE6Ckxg2GWgoXgxLY+PInG4Mop4ar lJLw== X-Gm-Message-State: ANoB5pnMS7mERC6Lzb3QApQ+fILdE79tBlu4RWVTC0P4m15/Pf4ylULr mlq1hALCEglIgGDqGMGYHZBQaxObWuBwQA== X-Received: by 2002:a17:902:d151:b0:186:7db1:d294 with SMTP id t17-20020a170902d15100b001867db1d294mr4334140plt.68.1668199554918; Fri, 11 Nov 2022 12:45:54 -0800 (PST) Received: from localhost ([14.96.13.220]) by smtp.gmail.com with ESMTPSA id k11-20020a170902d58b00b001868d4600b8sm2138027plh.158.2022.11.11.12.45.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Nov 2022 12:45:54 -0800 (PST) Date: Sat, 12 Nov 2022 02:15:47 +0530 From: Kumar Kartikeya Dwivedi To: sdf@google.com Cc: Xu Kuohai , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Hao Luo , Jiri Olsa Subject: Re: [PATCH bpf] bpf: Fix offset calculation error in __copy_map_value and zero_map_value Message-ID: <20221111204547.lyeim477afgfgkhh@apollo> References: <20221111125620.754855-1-xukuohai@huaweicloud.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Nov 12, 2022 at 12:47:52AM IST, sdf@google.com wrote: > On 11/11, Xu Kuohai wrote: > > From: Xu Kuohai > > > Function __copy_map_value and zero_map_value miscalculated copy offset, > > resulting in possible copy of unwanted data to user or kernel. > > > Fix it. > > > Fixes: cc48755808c6 ("bpf: Add zero_map_value to zero map value with > > special fields") > > Fixes: 4d7d7f69f4b1 ("bpf: Adapt copy_map_value for multiple offset case") > > Signed-off-by: Xu Kuohai > > --- > > include/linux/bpf.h | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > > index 74c6f449d81e..c1bd1bd10506 100644 > > --- a/include/linux/bpf.h > > +++ b/include/linux/bpf.h > > @@ -315,7 +315,7 @@ static inline void __copy_map_value(struct bpf_map > > *map, void *dst, void *src, b > > u32 next_off = map->off_arr->field_off[i]; > > > memcpy(dst + curr_off, src + curr_off, next_off - curr_off); > > - curr_off += map->off_arr->field_sz[i]; > > + curr_off = next_off + map->off_arr->field_sz[i]; > > } > > memcpy(dst + curr_off, src + curr_off, map->value_size - curr_off); > > } > > @@ -344,7 +344,7 @@ static inline void zero_map_value(struct bpf_map > > *map, void *dst) > > u32 next_off = map->off_arr->field_off[i]; > > > memset(dst + curr_off, 0, next_off - curr_off); > > - curr_off += map->off_arr->field_sz[i]; > > + curr_off = next_off + map->off_arr->field_sz[i]; > > } > > memset(dst + curr_off, 0, map->value_size - curr_off); > > } > > Hmm, does it mean that it currently works only for the cases where > these special fields are first/last? > > Also, what about bpf-next? The same problem seem to exist there? > Replied with the patch in the other email. > Might be a good idea to have some selftest to exercise this? > I agree, there was another bug in the same code before this, so I think we should add tests for this (I should have done that with the commit being fixed...). Xu, if you have cycles, can you work on testing a few edge cases and make sure we don't regress in the future? Otherwise I will take a look next week.