From: Jason Xing <[email protected]> Date: Thu, 9 Oct 2025 22:02:23 +0800
> On Thu, Oct 9, 2025 at 12:59 AM Alexander Lobakin > <[email protected]> wrote: >> >> Turned out certain clearly invalid values passed in &xdp_desc from >> userspace can pass xp_{,un}aligned_validate_desc() and then lead >> to UBs or just invalid frames to be queued for xmit. >> >> desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len >> can cause positive integer overflow and wraparound, the same way low >> enough desc->addr with a non-zero pool->tx_metadata_len can cause >> negative integer overflow. Both scenarios can then pass the >> validation successfully. >> This doesn't happen with valid XSk applications, but can be used >> to perform attacks. >> >> Always promote desc->len to ``u64`` first to exclude positive >> overflows of it. Use explicit check_{add,sub}_overflow() when >> validating desc->addr (which is ``u64`` already). >> >> bloat-o-meter reports a little growth of the code size: >> >> add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44) >> Function old new delta >> xskq_cons_peek_desc 299 330 +31 >> xsk_tx_peek_release_desc_batch 973 1002 +29 >> xsk_generic_xmit 3148 3132 -16 >> >> but hopefully this doesn't hurt the performance much. > > I don't see an evident point that might affect the performance. Since > you said that, I tested by running './xdpsock -i eth1 -t -S -s 64' and > didn't spot any degradation. Thanks for testing! > >> >> Fixes: 341ac980eab9 ("xsk: Support tx_metadata_len") >> Cc: [email protected] # 6.8+ >> Signed-off-by: Alexander Lobakin <[email protected]> > > Thanks for the fix! > > Reviewed-by: Jason Xing <[email protected]> > >> --- >> net/xdp/xsk_queue.h | 45 +++++++++++++++++++++++++++++++++++---------- >> 1 file changed, 35 insertions(+), 10 deletions(-) >> >> diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h >> index f16f390370dc..1eb8d9f8b104 100644 >> --- a/net/xdp/xsk_queue.h >> +++ b/net/xdp/xsk_queue.h >> @@ -143,14 +143,24 @@ static inline bool xp_unused_options_set(u32 options) >> static inline bool xp_aligned_validate_desc(struct xsk_buff_pool *pool, >> struct xdp_desc *desc) >> { >> - u64 addr = desc->addr - pool->tx_metadata_len; >> - u64 len = desc->len + pool->tx_metadata_len; >> - u64 offset = addr & (pool->chunk_size - 1); >> + u64 len = desc->len; >> + u64 addr, offset; >> >> - if (!desc->len) >> + if (!len) >> return false; >> >> - if (offset + len > pool->chunk_size) >> + /* Can overflow if desc->addr < pool->tx_metadata_len */ >> + if (check_sub_overflow(desc->addr, pool->tx_metadata_len, &addr)) >> + return false; >> + >> + offset = addr & (pool->chunk_size - 1); >> + >> + /* >> + * Can't overflow: @offset is guaranteed to be < ``U32_MAX`` >> + * (pool->chunk_size is ``u32``), @len is guaranteed >> + * to be <= ``U32_MAX``. >> + */ >> + if (offset + len + pool->tx_metadata_len > pool->chunk_size) >> return false; >> >> if (addr >= pool->addrs_cnt) >> @@ -158,27 +168,42 @@ static inline bool xp_aligned_validate_desc(struct >> xsk_buff_pool *pool, >> >> if (xp_unused_options_set(desc->options)) >> return false; >> + > > nit? Yes, probably doesn't fit well for this particular fix. I have no strong preference and can remove it if the community wishes. > >> return true; >> } >> >> static inline bool xp_unaligned_validate_desc(struct xsk_buff_pool *pool, >> struct xdp_desc *desc) >> { >> - u64 addr = xp_unaligned_add_offset_to_addr(desc->addr) - >> pool->tx_metadata_len; >> - u64 len = desc->len + pool->tx_metadata_len; >> + u64 len = desc->len; >> + u64 addr, end; >> >> - if (!desc->len) >> + if (!len) >> return false; >> >> + /* Can't overflow: @len is guaranteed to be <= ``U32_MAX`` */ >> + len += pool->tx_metadata_len; >> if (len > pool->chunk_size) >> return false; >> >> - if (addr >= pool->addrs_cnt || addr + len > pool->addrs_cnt || >> - xp_desc_crosses_non_contig_pg(pool, addr, len)) >> + /* Can overflow if desc->addr is close to 0 */ >> + if (check_sub_overflow(xp_unaligned_add_offset_to_addr(desc->addr), >> + pool->tx_metadata_len, &addr)) >> + return false; >> + >> + if (addr >= pool->addrs_cnt) >> + return false; >> + >> + /* Can overflow if pool->addrs_cnt is high enough */ >> + if (check_add_overflow(addr, len, &end) || end > pool->addrs_cnt) >> + return false; >> + >> + if (xp_desc_crosses_non_contig_pg(pool, addr, len)) >> return false; >> >> if (xp_unused_options_set(desc->options)) >> return false; >> + Same here. >> return true; >> } Thanks, Olek
