Commit b8228851 authored by bitcoffee's avatar bitcoffee
Browse files

ipvlan: fix UAF after skb has been consume by xdp generic 

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB82XT



------------------------------------------

The AF_XDP currently implemented in ipvlan has some bugs. The SKB
transferred by the ipvlan is transferred to th ipvlan as a two-dimensional
pointer pskb, and then deliver to the xdp for processing. The XDP may
release the original SKB and create a new SKB, assign the address of the
new SKB to the pSKB. therefore, the pSKB transferred to the XDP must be
the pSKB provided by the driver and must not be lost during the process
from the driver to the XPD. Otherwist, the XDP determines that the original
pSKB may have been released after the driver uploooads the data packet to
the kernel for processing.

This causes UAF in the kernel and affects the memory usage of the normal
services. As a result, the kernel crashed.

Fixes: 373ce97b ("ipvlan: support use xdp native mode")
Signed-off-by: default avatarbitcoffee <liuxin350@huawei.com>
parent 920d5152

drivers/net/ipvlan/ipvlan_core.c

+2 −1
Original line number Diff line number Diff line
@@ -326,7 +326,8 @@ static int ipvlan_rcv_frame(struct ipvl_addr *addr, struct sk_buff **pskb, 
		goto go_network_stack;

	skb->dev = dev;

#ifdef CONFIG_XSK_MULTI_BUF

	xdp_ret = do_xdp_generic_multi(xdp_prog, &skb);

	xdp_ret = do_xdp_generic_multi(xdp_prog, pskb);

	skb = *pskb;

#else

	xdp_ret = do_xdp_generic(xdp_prog, skb);

#endif