summaryrefslogtreecommitdiff
path: root/include/linux/bpf.h
diff options
context:
space:
mode:
authorXu Kuohai <xukuohai@huawei.com>2022-11-11 07:56:20 -0500
committerAndrii Nakryiko <andrii@kernel.org>2022-11-11 12:35:07 -0800
commit1f6e04a1c7b85da3b765ca9f46029e5d1826d839 (patch)
treed235618bfd0d5f48ae0336a3a2920db26c4e00a6 /include/linux/bpf.h
parent4b45cd81f737d79d0fbfc0d320a1e518e7f0bbf0 (diff)
downloadlwn-1f6e04a1c7b85da3b765ca9f46029e5d1826d839.tar.gz
lwn-1f6e04a1c7b85da3b765ca9f46029e5d1826d839.zip
bpf: Fix offset calculation error in __copy_map_value and zero_map_value
Function __copy_map_value and zero_map_value miscalculated copy offset, resulting in possible copy of unwanted data to user or kernel. Fix it. Fixes: cc48755808c6 ("bpf: Add zero_map_value to zero map value with special fields") Fixes: 4d7d7f69f4b1 ("bpf: Adapt copy_map_value for multiple offset case") Signed-off-by: Xu Kuohai <xukuohai@huawei.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/bpf/20221111125620.754855-1-xukuohai@huaweicloud.com
Diffstat (limited to 'include/linux/bpf.h')
-rw-r--r--include/linux/bpf.h4
1 files changed, 2 insertions, 2 deletions
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 74c6f449d81e..c1bd1bd10506 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -315,7 +315,7 @@ static inline void __copy_map_value(struct bpf_map *map, void *dst, void *src, b
u32 next_off = map->off_arr->field_off[i];
memcpy(dst + curr_off, src + curr_off, next_off - curr_off);
- curr_off += map->off_arr->field_sz[i];
+ curr_off = next_off + map->off_arr->field_sz[i];
}
memcpy(dst + curr_off, src + curr_off, map->value_size - curr_off);
}
@@ -344,7 +344,7 @@ static inline void zero_map_value(struct bpf_map *map, void *dst)
u32 next_off = map->off_arr->field_off[i];
memset(dst + curr_off, 0, next_off - curr_off);
- curr_off += map->off_arr->field_sz[i];
+ curr_off = next_off + map->off_arr->field_sz[i];
}
memset(dst + curr_off, 0, map->value_size - curr_off);
}