Skip to content

Commit

Permalink
bpf: Fix too large copy from user in bpf_test_init
Browse files Browse the repository at this point in the history
Commit bc56c91 ("bpf: Add xdp.frame_sz in bpf_prog_test_run_xdp().")
recently changed bpf_prog_test_run_xdp() to use larger frames for XDP in
order to test tail growing frames (via bpf_xdp_adjust_tail) and to have
memory backing frame better resemble drivers.

The commit contains a bug, as it tries to copy the max data size from
userspace, instead of the size provided by userspace.  This cause XDP
unit tests to fail sporadically with EFAULT, an unfortunate behavior.
The fix is to only copy the size specified by userspace.

Fixes: bc56c91 ("bpf: Add xdp.frame_sz in bpf_prog_test_run_xdp().")
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrii Nakryiko <andriin@fb.com>
Link: https://lore.kernel.org/bpf/158980712729.256597.6115007718472928659.stgit@firesoul
  • Loading branch information
Jesper Dangaard Brouer authored and Daniel Borkmann committed May 19, 2020
1 parent 59929cd commit d800bad
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions net/bpf/test_run.c
Original file line number Diff line number Diff line change
Expand Up @@ -160,16 +160,20 @@ static void *bpf_test_init(const union bpf_attr *kattr, u32 size,
u32 headroom, u32 tailroom)
{
void __user *data_in = u64_to_user_ptr(kattr->test.data_in);
u32 user_size = kattr->test.data_size_in;
void *data;

if (size < ETH_HLEN || size > PAGE_SIZE - headroom - tailroom)
return ERR_PTR(-EINVAL);

if (user_size > size)
return ERR_PTR(-EMSGSIZE);

data = kzalloc(size + headroom + tailroom, GFP_USER);
if (!data)
return ERR_PTR(-ENOMEM);

if (copy_from_user(data + headroom, data_in, size)) {
if (copy_from_user(data + headroom, data_in, user_size)) {
kfree(data);
return ERR_PTR(-EFAULT);
}
Expand Down Expand Up @@ -486,8 +490,6 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,

/* XDP have extra tailroom as (most) drivers use full page */
max_data_sz = 4096 - headroom - tailroom;
if (size > max_data_sz)
return -EINVAL;

data = bpf_test_init(kattr, max_data_sz, headroom, tailroom);
if (IS_ERR(data))
Expand Down

0 comments on commit d800bad

Please sign in to comment.