Commit 086fbe7a authored May 21, 2024 by Toke Høiland-Jørgensen Committed by Pu Lehui May 21, 2024

cpumap: Zero-initialise xdp_rxq_info struct before running XDP program

stable inclusion
from stable-v5.10.213
commit 5f4e51abfbe6eb444fa91906a5cd083044278297
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q92U
CVE: CVE-2024-27431

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5f4e51abfbe6



--------------------------------

[ Upstream commit 2487007aa3b9fafbd2cb14068f49791ce1d7ede5 ]

When running an XDP program that is attached to a cpumap entry, we don't
initialise the xdp_rxq_info data structure being used in the xdp_buff
that backs the XDP program invocation. Tobias noticed that this leads to
random values being returned as the xdp_md->rx_queue_index value for XDP
programs running in a cpumap.

This means we're basically returning the contents of the uninitialised
memory, which is bad. Fix this by zero-initialising the rxq data
structure before running the XDP program.

Fixes: 92164774 ("bpf: cpumap: Add the possibility to attach an eBPF program to cpumap")
Reported-by: Tobias Böhm <tobias@aibor.de>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://lore.kernel.org/r/20240305213132.11955-1-toke@redhat.com


Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Pu Lehui <pulehui@huawei.com>

parent 3e487df5

kernel/bpf/cpumap.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -237,7 +237,7 @@ static int cpu_map_bpf_prog_run_xdp(struct bpf_cpu_map_entry *rcpu,
		void **frames, int n,
		struct xdp_cpumap_stats *stats)
		{
		struct xdp_rxq_info rxq;
		struct xdp_rxq_info rxq = {};
		struct xdp_buff xdp;
		int i, nframes = 0;