From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail-bn3nam01on0094.outbound.protection.outlook.com ([104.47.33.94]:39765
        "EHLO NAM01-BN3-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1732197AbeIXUva (ORCPT <rfc822;stable@vger.kernel.org>);
        Mon, 24 Sep 2018 16:51:30 -0400
From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
CC: Tushar Dave <tushar.n.dave@oracle.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.18 50/76] bpf: Fix bpf_msg_pull_data()
Date: Mon, 24 Sep 2018 14:48:32 +0000
Message-ID: <20180924144751.164410-49-alexander.levin@microsoft.com>
References: <20180924144751.164410-1-alexander.levin@microsoft.com>
In-Reply-To: <20180924144751.164410-1-alexander.levin@microsoft.com>
Content-Language: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Tushar Dave <tushar.n.dave@oracle.com>

[ Upstream commit 9db39f4d4f94b61e4b64b077f6ddb2bdfb533a88 ]

Helper bpf_msg_pull_data() mistakenly reuses variable 'offset' while
linearizing multiple scatterlist elements. Variable 'offset' is used
to find first starting scatterlist element
    i.e. msg->data =3D sg_virt(&sg[first_sg]) + start - offset"

Use different variable name while linearizing multiple scatterlist
elements so that value contained in variable 'offset' won't get
overwritten.

Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data")
Signed-off-by: Tushar Dave <tushar.n.dave@oracle.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 net/core/filter.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index a80b57e4aaed..963ee2e88861 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2282,7 +2282,7 @@ static const struct bpf_func_proto bpf_msg_cork_bytes=
_proto =3D {
 BPF_CALL_4(bpf_msg_pull_data,
 	   struct sk_msg_buff *, msg, u32, start, u32, end, u64, flags)
 {
-	unsigned int len =3D 0, offset =3D 0, copy =3D 0;
+	unsigned int len =3D 0, offset =3D 0, copy =3D 0, poffset =3D 0;
 	int bytes =3D end - start, bytes_sg_total;
 	struct scatterlist *sg =3D msg->sg_data;
 	int first_sg, last_sg, i, shift;
@@ -2338,16 +2338,15 @@ BPF_CALL_4(bpf_msg_pull_data,
 	if (unlikely(!page))
 		return -ENOMEM;
 	p =3D page_address(page);
-	offset =3D 0;
=20
 	i =3D first_sg;
 	do {
 		from =3D sg_virt(&sg[i]);
 		len =3D sg[i].length;
-		to =3D p + offset;
+		to =3D p + poffset;
=20
 		memcpy(to, from, len);
-		offset +=3D len;
+		poffset +=3D len;
 		sg[i].length =3D 0;
 		put_page(sg_page(&sg[i]));
=20
--=20
2.17.1