[PATCH 5.6 008/166] xsk: Fix out of boundary write in __xsk_rcv_memcpy
From: Greg Kroah-Hartman
Date: Wed Apr 22 2020 - 06:38:33 EST
From: Li RongQing <lirongqing@xxxxxxxxx>
commit db5c97f02373917efe2c218ebf8e3d8b19e343b6 upstream.
first_len is the remainder of the first page we're copying.
If this size is larger, then out of page boundary write will
otherwise happen.
Fixes: c05cd3645814 ("xsk: add support to allow unaligned chunk placement")
Signed-off-by: Li RongQing <lirongqing@xxxxxxxxx>
Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Acked-by: Jonathan Lemon <jonathan.lemon@xxxxxxxxx>
Acked-by: BjÃrn TÃpel <bjorn.topel@xxxxxxxxx>
Link: https://lore.kernel.org/bpf/1585813930-19712-1-git-send-email-lirongqing@xxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/xdp/xsk.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -131,8 +131,9 @@ static void __xsk_rcv_memcpy(struct xdp_
u64 page_start = addr & ~(PAGE_SIZE - 1);
u64 first_len = PAGE_SIZE - (addr - page_start);
- memcpy(to_buf, from_buf, first_len + metalen);
- memcpy(next_pg_addr, from_buf + first_len, len - first_len);
+ memcpy(to_buf, from_buf, first_len);
+ memcpy(next_pg_addr, from_buf + first_len,
+ len + metalen - first_len);
return;
}