Commit db5c97f0 authored Apr 02, 2020 by Li RongQing Committed by Daniel Borkmann Apr 06, 2020

xsk: Fix out of boundary write in __xsk_rcv_memcpy



first_len is the remainder of the first page we're copying.
If this size is larger, then out of page boundary write will
otherwise happen.

Fixes: c05cd364 ("xsk: add support to allow unaligned chunk placement")
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Acked-by: Björn Töpel <bjorn.topel@intel.com>
Link: https://lore.kernel.org/bpf/1585813930-19712-1-git-send-email-lirongqing@baidu.com

parent 5222d696

net/xdp/xsk.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -131,8 +131,9 @@ static void __xsk_rcv_memcpy(struct xdp_umem umem, u64 addr, void from_buf,
		u64 page_start = addr & ~(PAGE_SIZE - 1);
		u64 first_len = PAGE_SIZE - (addr - page_start);

		memcpy(to_buf, from_buf, first_len + metalen);
		memcpy(next_pg_addr, from_buf + first_len, len - first_len);
		memcpy(to_buf, from_buf, first_len);
		memcpy(next_pg_addr, from_buf + first_len,
		len + metalen - first_len);

		return;
		}