Skip to content

Commit

Permalink
xsk: fix an integer overflow in xp_create_and_assign_umem()
Browse files Browse the repository at this point in the history
Since the i and pool->chunk_size variables are of type 'u32',
their product can wrap around and then be cast to 'u64'.
This can lead to two different XDP buffers pointing to the same
memory area.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: 94033cd ("xsk: Optimize for aligned case")
Cc: stable@vger.kernel.org
Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
Link: https://patch.msgid.link/20250313085007.3116044-1-Ilia.Gavrilov@infotecs.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
  • Loading branch information
Gavrilov Ilia authored and Paolo Abeni committed Mar 19, 2025
1 parent a0aff75 commit 559847f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion net/xdp/xsk_buff_pool.c
Original file line number Diff line number Diff line change
@@ -105,7 +105,7 @@ struct xsk_buff_pool *xp_create_and_assign_umem(struct xdp_sock *xs,
if (pool->unaligned)
pool->free_heads[i] = xskb;
else
xp_init_xskb_addr(xskb, pool, i * pool->chunk_size);
xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size);
}

return pool;

0 comments on commit 559847f

Please sign in to comment.