PROBLEM: Using BPF_PROG_TEST_RUN with data_out != NULL is unsafe

From: Lorenz Bauer
Date: Wed Apr 04 2018 - 05:04:15 EST

Next message: Pierre Yves MORDRET: "Re: [PATCH v2 3/6] i2c: i2c-stm32f7: Add initial SMBus protocols support"
Previous message: Chao Yu: "[PATCH v2] f2fs: enlarge block plug coverage"
Next in thread: Daniel Borkmann: "Re: PROBLEM: Using BPF_PROG_TEST_RUN with data_out != NULL is unsafe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Iâve encountered an issue when using BPF_PROG_TEST_RUN and capturing the output.
The kernel copies data into user space without checking the length of
the destination buffer.

In bpf_test_finish(), size is the amount of data in the XDP buffer /
skb after the program is run. This can be larger than data_size_in due
to bpf_xdp_adjust_head() and friends.
bpf_test_finish doesnât clamp size to data_size_out, which is what I
was expecting.

What is the correct way to use this interface?

Best,
Lorenz

--
Lorenz Bauer | Systems Engineer
25 Lavington St., London SE1 0NZ

www.cloudflare.com

Next message: Pierre Yves MORDRET: "Re: [PATCH v2 3/6] i2c: i2c-stm32f7: Add initial SMBus protocols support"
Previous message: Chao Yu: "[PATCH v2] f2fs: enlarge block plug coverage"
Next in thread: Daniel Borkmann: "Re: PROBLEM: Using BPF_PROG_TEST_RUN with data_out != NULL is unsafe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]