From: Stephen Hemminger <stephen@networkplumber.org>
To: netdev@vger.kernel.org
Subject: Fw: [Bug 207225] New: Malformed headroom in umem request of XDP socket could lead to out of bound write
Date: Mon, 13 Apr 2020 08:24:05 -0700 [thread overview]
Message-ID: <20200413082405.70164089@hermes.lan> (raw)
Begin forwarded message:
Date: Mon, 13 Apr 2020 14:27:36 +0000
From: bugzilla-daemon@bugzilla.kernel.org
To: stephen@networkplumber.org
Subject: [Bug 207225] New: Malformed headroom in umem request of XDP socket could lead to out of bound write
https://bugzilla.kernel.org/show_bug.cgi?id=207225
Bug ID: 207225
Summary: Malformed headroom in umem request of XDP socket could
lead to out of bound write
Product: Networking
Version: 2.5
Kernel Version: 5.5.11, 5.5.17, 5.7-rc1
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: low
Priority: P1
Component: Other
Assignee: stephen@networkplumber.org
Reporter: minhquangbui99@gmail.com
Regression: No
Created attachment 288417
--> https://bugzilla.kernel.org/attachment.cgi?id=288417&action=edit
POC registers malformed headroom in umem registration
- When user calls setsockopt to register umem ring on XDP socket, the headroom
can be a big unsigned 32 bit number, which leads to
+ This check in xdp_umem_reg function (net/xdp/xdp_umem.c) is bypassed
size_chk = chunk_size - headroom - XDP_PACKET_HEADROOM;
if (size_chk < 0)
return -EINVAL;
+ This initialization in the same function, the chunk_size_nohr becomes
larger than actual size
umem->chunk_size_nohr = chunk_size - headroom;
- Consequence: I see that the chunk_size_nohr is used to check that the
xdp_buff can fit into the chunk in xsk receive functions; with this malformed
chunk_size_nohr, we can put a larger than chunk size xdp_buff to chunk, leads
to an out of bound write. However, I research some more and find that to
trigger to receive functions, we must redirect the packets from XDP program
using xskmap which requires CAP_NET_ADMIN capability, which makes this very low
impact.
- Unfortunately, I cannot trigger xsk receive functions (I am new to Linux
kernel) due to some error when binding XDP program to an interface. I can only
prove the register side, the initialization of chunk_size_nohr via debugging. I
attached the POC of malformed headroom umem register below, which I tested on
kernel 5.5.11. The POC needs to be run with root privilege (or a user with
CAP_NET_RAW, this could be achieve with new user namespace on kernel with
CONFIG_USER_NS=y, however, as far as I know, next phases when allocate xskmap,
CAP_NET_ADMIN is required and user namespace is not permitted).
Thank you very much for reviewing this report
--
You are receiving this mail because:
You are the assignee for the bug.
reply other threads:[~2020-04-13 15:24 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200413082405.70164089@hermes.lan \
--to=stephen@networkplumber.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).