From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Borkmann Subject: Re: PROBLEM: Using BPF_PROG_TEST_RUN with data_out != NULL is unsafe Date: Wed, 4 Apr 2018 12:01:45 +0200 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org To: Lorenz Bauer , ast@kernel.org Return-path: In-Reply-To: Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On 04/04/2018 11:04 AM, Lorenz Bauer wrote: > Hello, > > I’ve encountered an issue when using BPF_PROG_TEST_RUN and capturing the output. > The kernel copies data into user space without checking the length of > the destination buffer. > > In bpf_test_finish(), size is the amount of data in the XDP buffer / > skb after the program is run. This can be larger than data_size_in due > to bpf_xdp_adjust_head() and friends. > bpf_test_finish doesn’t clamp size to data_size_out, which is what I > was expecting. > > What is the correct way to use this interface? Yeah, so XDP has a headroom of XDP_PACKET_HEADROOM + NET_IP_ALIGN which in case of x86 is 256 bytes (NET_IP_ALIGN being 0 there). This means that attr.test.data_out buffer needs to be 256 bytes larger than attr.test.data_in in case the BPF prog calls bpf_xdp_adjust_head() or bpf_xdp_adjust_meta(). In case you point data_in and data_out to the same address, then the total buffer size therefore has to be attr.test.data_size_in + 256 in order to not overrun anything while not being aware of the BPF test program. The XDP_PACKET_HEADROOM is exposed to user space in linux/bpf.h.