Thread (10 messages) 10 messages, 5 authors, 2026-01-06

Re: [PATCH bpf-next 1/2] bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES

From: KaFai Wan <hidden>
Date: 2026-01-05 13:24:25
Also in: bpf, linux-kselftest, lkml

On Mon, 2026-01-05 at 11:46 +0100, Toke Høiland-Jørgensen wrote:
KaFai Wan [off-list ref] writes:
quoted
This fix reverts to the original version and ensures data_hard_start
correctly points to the xdp_frame structure, eliminating the security
risk.
This is wrong. We should just be checking the meta_len on input to
account for the size of xdp_frame. I'll send a patch.
Current version the actual limit of the max input meta_len for live frames is 
XDP_PACKET_HEADROOM - sizeof(struct xdp_frame), not XDP_PACKET_HEADROOM.

The original version not set xdp_buff->data_hard_start with xdp_frame, 
I set it with the correct position by adding the headroom, so there is no need 
for user to reduce the max input meta_len.

This patch is failed with the xdp_do_redirect test, I'll fix and send v2 if 
you're ok with that.
 
-Toke
-- 
Thanks,
KaFai
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help