Re: [PATCH bpf] bpf: Fix offset calculation error in __copy_map_value and zero_map_value

[sdf@google.com]

On 11/11, Xu Kuohai wrote:
> From: Xu Kuohai <xukuohai@huawei.com>

> Function __copy_map_value and zero_map_value miscalculated copy offset,
> resulting in possible copy of unwanted data to user or kernel.

> Fix it.

> Fixes: cc48755808c6 ("bpf: Add zero_map_value to zero map value with  
> special fields")
> Fixes: 4d7d7f69f4b1 ("bpf: Adapt copy_map_value for multiple offset case")
> Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
> ---
>   include/linux/bpf.h | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)

> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index 74c6f449d81e..c1bd1bd10506 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -315,7 +315,7 @@ static inline void __copy_map_value(struct bpf_map  
> *map, void *dst, void *src, b
>   		u32 next_off = map->off_arr->field_off[i];

>   		memcpy(dst + curr_off, src + curr_off, next_off - curr_off);
> -		curr_off += map->off_arr->field_sz[i];
> +		curr_off = next_off + map->off_arr->field_sz[i];
>   	}
>   	memcpy(dst + curr_off, src + curr_off, map->value_size - curr_off);
>   }
> @@ -344,7 +344,7 @@ static inline void zero_map_value(struct bpf_map  
> *map, void *dst)
>   		u32 next_off = map->off_arr->field_off[i];

>   		memset(dst + curr_off, 0, next_off - curr_off);
> -		curr_off += map->off_arr->field_sz[i];
> +		curr_off = next_off + map->off_arr->field_sz[i];
>   	}
>   	memset(dst + curr_off, 0, map->value_size - curr_off);
>   }

Hmm, does it mean that it currently works only for the cases where
these special fields are first/last?

Also, what about bpf-next? The same problem seem to exist there?

Might be a good idea to have some selftest to exercise this?

> --
> 2.30.2