[PATCH v1 bpf 1/1] libbpf: don't force user-supplied ifname string to be of fixed size

From: Emmanuel Deloget
Date: Thu Dec 09 2021 - 07:04:02 EST

Next message: Vinod Koul: "Re: [PATCH v2 0/2] clk: qcom: Add clocks for SM8450 SoC"
Previous message: Vinod Koul: "Re: [PATCH v6] phy: qcom-qmp: add display port v4 voltage and pre-emphasis swing tables"
Next in thread: Andrii Nakryiko: "Re: [PATCH v1 bpf 1/1] libbpf: don't force user-supplied ifname string to be of fixed size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When calling either xsk_socket__create_shared() or xsk_socket__create()
the user supplies a const char *ifname which is implicitely supposed to
be a pointer to the start of a char[IFNAMSIZ] array. The internal
function xsk_create_ctx() then blindly copy IFNAMSIZ bytes from this
string into the xsk context.

This is counter-intuitive and error-prone.

For example,

int r = xsk_socket__create(..., "eth0", ...)

may result in an invalid object because of the blind copy. The "eth0"
string might be followed by random data from the ro data section,
resulting in ctx->ifname being filled with the correct interface name
then a bunch and invalid bytes.

The same kind of issue arises when the ifname string is located on the
stack:

char ifname[] = "eth0";
int r = xsk_socket__create(..., ifname, ...);

Or comes from the command line

const char *ifname = argv[n];
int r = xsk_socket__create(..., ifname, ...);

In both case we'll fill ctx->ifname with random data from the stack.

In practice, we saw that this issue caused various small errors which,
in then end, prevented us to setup a valid xsk context that would have
allowed us to capture packets on our interfaces. We fixed this issue in
our code by forcing our char ifname[] to be of size IFNAMSIZ but that felt
weird and unnecessary.

Fixes: 2f6324a3937f8 (libbpf: Support shared umems between queues and devices)
Signed-off-by: Emmanuel Deloget <emmanuel.deloget@xxxxxxxx>
---
tools/lib/bpf/xsk.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c
index 81f8fbc85e70..8dda80bcefcc 100644
--- a/tools/lib/bpf/xsk.c
+++ b/tools/lib/bpf/xsk.c
@@ -944,6 +944,7 @@ static struct xsk_ctx *xsk_create_ctx(struct xsk_socket *xsk,
{
struct xsk_ctx *ctx;
int err;
+ size_t ifnamlen;

ctx = calloc(1, sizeof(*ctx));
if (!ctx)
@@ -965,8 +966,10 @@ static struct xsk_ctx *xsk_create_ctx(struct xsk_socket *xsk,
ctx->refcount = 1;
ctx->umem = umem;
ctx->queue_id = queue_id;
- memcpy(ctx->ifname, ifname, IFNAMSIZ - 1);
- ctx->ifname[IFNAMSIZ - 1] = '\0';
+
+ ifnamlen = strnlen(ifname, IFNAMSIZ);
+ memcpy(ctx->ifname, ifname, ifnamlen);
+ ctx->ifname[IFNAMSIZ - 1] = 0;

ctx->fill = fill;
ctx->comp = comp;
--
2.32.0

Next message: Vinod Koul: "Re: [PATCH v2 0/2] clk: qcom: Add clocks for SM8450 SoC"
Previous message: Vinod Koul: "Re: [PATCH v6] phy: qcom-qmp: add display port v4 voltage and pre-emphasis swing tables"
Next in thread: Andrii Nakryiko: "Re: [PATCH v1 bpf 1/1] libbpf: don't force user-supplied ifname string to be of fixed size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]