summaryrefslogtreecommitdiff
path: root/net/bpf
diff options
context:
space:
mode:
authorJesper Dangaard Brouer <brouer@redhat.com>2020-05-18 15:05:27 +0200
committerDaniel Borkmann <daniel@iogearbox.net>2020-05-19 17:56:34 +0200
commitd800bad67d4c21aaf11722f04e0f7547fb915ab5 (patch)
treee7dbca49e7a5c1b6a8c5bd42acec8624903914df /net/bpf
parent59929cd1fec508a48ea2a04d8f2e4fdef907a2cd (diff)
downloadlwn-d800bad67d4c21aaf11722f04e0f7547fb915ab5.tar.gz
lwn-d800bad67d4c21aaf11722f04e0f7547fb915ab5.zip
bpf: Fix too large copy from user in bpf_test_init
Commit bc56c919fce7 ("bpf: Add xdp.frame_sz in bpf_prog_test_run_xdp().") recently changed bpf_prog_test_run_xdp() to use larger frames for XDP in order to test tail growing frames (via bpf_xdp_adjust_tail) and to have memory backing frame better resemble drivers. The commit contains a bug, as it tries to copy the max data size from userspace, instead of the size provided by userspace. This cause XDP unit tests to fail sporadically with EFAULT, an unfortunate behavior. The fix is to only copy the size specified by userspace. Fixes: bc56c919fce7 ("bpf: Add xdp.frame_sz in bpf_prog_test_run_xdp().") Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Andrii Nakryiko <andriin@fb.com> Link: https://lore.kernel.org/bpf/158980712729.256597.6115007718472928659.stgit@firesoul
Diffstat (limited to 'net/bpf')
-rw-r--r--net/bpf/test_run.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 30ba7d38941d..bfd4ccd80847 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -160,16 +160,20 @@ static void *bpf_test_init(const union bpf_attr *kattr, u32 size,
u32 headroom, u32 tailroom)
{
void __user *data_in = u64_to_user_ptr(kattr->test.data_in);
+ u32 user_size = kattr->test.data_size_in;
void *data;
if (size < ETH_HLEN || size > PAGE_SIZE - headroom - tailroom)
return ERR_PTR(-EINVAL);
+ if (user_size > size)
+ return ERR_PTR(-EMSGSIZE);
+
data = kzalloc(size + headroom + tailroom, GFP_USER);
if (!data)
return ERR_PTR(-ENOMEM);
- if (copy_from_user(data + headroom, data_in, size)) {
+ if (copy_from_user(data + headroom, data_in, user_size)) {
kfree(data);
return ERR_PTR(-EFAULT);
}
@@ -486,8 +490,6 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
/* XDP have extra tailroom as (most) drivers use full page */
max_data_sz = 4096 - headroom - tailroom;
- if (size > max_data_sz)
- return -EINVAL;
data = bpf_test_init(kattr, max_data_sz, headroom, tailroom);
if (IS_ERR(data))