Commit 97e19cce authored by Jesper Dangaard Brouer's avatar Jesper Dangaard Brouer Committed by Daniel Borkmann
Browse files

bpf: reserve xdp_frame size in xdp headroom 



Commit 6dfb970d ("xdp: avoid leaking info stored in frame data on
page reuse") tried to allow user/bpf_prog to (re)use area used by
xdp_frame (stored in frame headroom), by memset clearing area when
bpf_xdp_adjust_head give bpf_prog access to headroom area.

The mentioned commit had two bugs. (1) Didn't take bpf_xdp_adjust_meta
into account. (2) a combination of bpf_xdp_adjust_head calls, where
xdp->data is moved into xdp_frame section, can cause clearing
xdp_frame area again for area previously granted to bpf_prog.

After discussions with Daniel, we choose to implement a simpler
solution to the problem, which is to reserve the headroom used by
xdp_frame info.

This also avoids the situation where bpf_prog is allowed to adjust/add
headers, and then XDP_REDIRECT later drops the packet due to lack of
headroom for the xdp_frame.  This would likely confuse the end-user.

Fixes: 6dfb970d ("xdp: avoid leaking info stored in frame data on page reuse")
Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
parent 7f3249fb

net/core/filter.c

+3 −9
Original line number Diff line number Diff line
@@ -2694,20 +2694,13 @@ BPF_CALL_2(bpf_xdp_adjust_head, struct xdp_buff *, xdp, int, offset) 
{

	void *xdp_frame_end = xdp->data_hard_start + sizeof(struct xdp_frame);

	unsigned long metalen = xdp_get_metalen(xdp);

	void *data_start = xdp->data_hard_start + metalen;

	void *data_start = xdp_frame_end + metalen;

	void *data = xdp->data + offset;



	if (unlikely(data < data_start ||

		     data > xdp->data_end - ETH_HLEN))

		return -EINVAL;



	/* Avoid info leak, when reusing area prev used by xdp_frame */

	if (data < xdp_frame_end) {

		unsigned long clearlen = xdp_frame_end - data;



		memset(data, 0, clearlen);

	}



	if (metalen)

		memmove(xdp->data_meta + offset,

			xdp->data_meta, metalen);
@@ -2751,12 +2744,13 @@ static const struct bpf_func_proto bpf_xdp_adjust_tail_proto = { 


BPF_CALL_2(bpf_xdp_adjust_meta, struct xdp_buff *, xdp, int, offset)

{

	void *xdp_frame_end = xdp->data_hard_start + sizeof(struct xdp_frame);

	void *meta = xdp->data_meta + offset;

	unsigned long metalen = xdp->data - meta;



	if (xdp_data_meta_unsupported(xdp))

		return -ENOTSUPP;

	if (unlikely(meta < xdp->data_hard_start ||

	if (unlikely(meta < xdp_frame_end ||

		     meta > xdp->data))

		return -EINVAL;

	if (unlikely((metalen & (sizeof(__u32) - 1)) ||

CRA Git | Maintained and supported by SUSTech CRA and CCSE