Received: by 2002:a05:6500:1b8f:b0:1fa:5c73:8e2d with SMTP id df15csp988962lqb; Wed, 29 May 2024 17:54:52 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX/bNrAgId0jqJ0V4LTDyEfazv37MXIZiQBh+9XhghYpltOHsFLJTFBquSLQ5owWAGxpTkFEMBaIb0y7XzfbR5x8KKia1A3VCMAnnF1aA== X-Google-Smtp-Source: AGHT+IHx5VqOw03s3GfkN1qj3HEJoDii/5hsXDitQbUfTaTWykXiSGOGi+0kJUQddEt09xiW75sX X-Received: by 2002:ae9:e10c:0:b0:794:c917:fc1c with SMTP id af79cd13be357-794e9dabc9cmr81105985a.31.1717030492135; Wed, 29 May 2024 17:54:52 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717030492; cv=pass; d=google.com; s=arc-20160816; b=AeMX8FezX8LM16THYDT9JA8vrzGk0MgYLOCuViy7cnczzienFxC30JUgtG+/WGM7fP 9SW7+b1Yh7wP/p3Ya3hrpuh+qqPd/Ep4nap3UK2m9Zv82CCaZuBVFc90igHh0KrpAWPI shnn5ALG5YxDjHQEWDtTCDsAtPTy7rXPn5/tFaa4bDlQ18IL64QL7ml7femDtd7QWflv ScQMoicywT5z1FMnTduK1JOrRf6dbVMXcUKXK+OGk89Prea9j8SmziIGbcpDIDSmf0Nt SN77E91hsWcf2Eb4bXO7caNA9PplTOtZ9J3PXTHsctRPQnCAb7CQaB25hDmjszjibL7D Oo+w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-id:precedence:message-id:date :subject:cc:to:from:dkim-signature; bh=WtYI8PHFyipbQc0+WD8LMMKrLJos4GRp31+t3Pdq25g=; fh=NXxgkIB2GDcfyTHEtToy58xY9uBTAKuWC27ty/8/HD0=; b=JvSQ9EbpGD0MLSd7vkAYmvEuiPGh0ybxRt4NkDc8AmiGJA6DYoOXU69SOz7oTTYAgq 8ic1WSjxf2eGw6WeoDbwIQhnLI0bDyt47QDkRsfU8uJgHPMeGUGQLrEz+v+FnVHphzr8 vU9lafJCWnc9lLqaTm6UOzLBVyoczys9R65QmCYvJtCT0qjKkMI4YgzuOg5ZombOUl7e gz7aEzZN0o+IBxkpGd2u2yVWOWsrwcnQTEXhUxQN5Hlty2NB5KaqImWLRlIegDiwQngB gjWTh0erxSlKfFgEqYvIU78rdBDjQ00QSOMTmvs4YGEVztAAsDhHy9ELYQod552NJl2l ahYQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-11-20 header.b=WgYt+R64; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel+bounces-194827-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-194827-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=oracle.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id af79cd13be357-794abd12cf8si1404777885a.242.2024.05.29.17.54.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 May 2024 17:54:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-194827-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-11-20 header.b=WgYt+R64; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel+bounces-194827-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-194827-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=oracle.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id A85C91C20A76 for ; Thu, 30 May 2024 00:54:51 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A10B0FC0E; Thu, 30 May 2024 00:54:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="WgYt+R64" Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F431C14F; Thu, 30 May 2024 00:54:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.165.32 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717030479; cv=none; b=twzXx9YPPsf1Ilgvs9YC0Uh36Mg3joltyfffSIlyfrzt+U+tljQEL/ypPkO6XXYJiLwpOSqF50mNq1XASVyTsVh4/zJTZdVRwC8cuMcpiWL/76kvusk9BS9IL6LqVp7g0d6WgUNQAj746wR/mLo43TR/8pMd7Er0l7Z9TY7wPIw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717030479; c=relaxed/simple; bh=ZLZvK70J7dzK/liNvZM3bw+pDlcX659UoYR6RqaFFD0=; h=From:To:Cc:Subject:Date:Message-Id; b=Juns1l6vCROnBlDtI2qdupbBdpXyeKxztjsEjPfzFZHKDphjhzkhn8c4E6QhSECWIDCOax/+yuNZpwPhxW4yaVrAuZ/qNCybaBzzlSJbHBX8mpKYT0/QkB75UnRJTbiseEC8nEgMBJlCY609wfjwHtmP08/tjxtNfH5buwF+YPI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=WgYt+R64; arc=none smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44TN0Itb016820; Thu, 30 May 2024 00:54:24 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc:date:from:message-id:subject:to; s=corp-2023-11-20; bh=WtYI8PHFyipbQc0+WD8LMMKrLJos4GRp31+t3Pdq25g=; b=WgYt+R64oTBw07YlnLaL206xhzeNXVoSybKMnLsF9CmSAhv85+3e/pgfabAIcSoHoor8 ikWKttJYUnTeChsFoVkHmxgtHF5EsyVKi/BOn21U6FrXUAe5yxeXXFW73J4eZ6O6jmQC oNqMJN7bloirj1Uhl0qJNLkw5jfymeHrx6o9SZ4w5hC0Y/EnR0oAI295+Q/O3zdOmOMD mPBF40TzGm9JRIDoKxNzr1n8FnmgPzpdVJQYcINWwqsS7HGF9M8MD7wDU7VeITzdnkGD esTcxdjgrZDaA7szUFDK78nyIGTlrzPkR7XU5FbjWqjK4U7foqFws3TKZ+oIQNhLOPQJ qg== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8g47x2w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 30 May 2024 00:54:24 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44TN5QKX010665; Thu, 30 May 2024 00:54:23 GMT Received: from pps.reinject (localhost [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3yc50yy6e7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 30 May 2024 00:54:22 +0000 Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 44U0sMfI017218; Thu, 30 May 2024 00:54:22 GMT Received: from ban25x6uut24.us.oracle.com (ban25x6uut24.us.oracle.com [10.153.73.24]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTP id 3yc50yy6dn-1; Thu, 30 May 2024 00:54:22 +0000 From: Si-Wei Liu To: willemdebruijn.kernel@gmail.com, jasowang@redhat.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, mst@redhat.com, boris.ostrovsky@oracle.com Subject: [PATCH] net: tap: validate metadata and length for XDP buff before building up skb Date: Wed, 29 May 2024 16:42:21 -0700 Message-Id: <1717026141-25716-1-git-send-email-si-wei.liu@oracle.com> X-Mailer: git-send-email 1.8.3.1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-29_16,2024-05-28_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 malwarescore=0 spamscore=0 adultscore=0 mlxscore=0 phishscore=0 suspectscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405300005 X-Proofpoint-GUID: tZmsOaspPiyTAjdS_3bLsp7xd0OvjDyb X-Proofpoint-ORIG-GUID: tZmsOaspPiyTAjdS_3bLsp7xd0OvjDyb Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: The cited commit missed to check against the validity of the length and various pointers on the XDP buff metadata in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. For instance, tap_get_user() prohibits short frame which has the length less than Ethernet header size from being transmitted, while the skb_set_network_header() in tap_get_user_xdp() would set skb's network_header regardless of the actual XDP buff data size. This could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. Propose to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. While at it, validate the pointers in XDP buff to avoid potential size overrun. Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()") Cc: jasowang@redhat.com Signed-off-by: Si-Wei Liu --- drivers/net/tap.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index bfdd3875fe86..69596479536f 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -1177,6 +1177,13 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp) struct sk_buff *skb; int err, depth; + if (unlikely(xdp->data < xdp->data_hard_start || + xdp->data_end < xdp->data || + xdp->data_end - xdp->data < ETH_HLEN)) { + err = -EINVAL; + goto err; + } + if (q->flags & IFF_VNET_HDR) vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); -- 2.39.3