Re: [PATCH bpf-next 1/2] bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES
From: KaFai Wan
Date: Mon Jan 05 2026 - 08:24:45 EST
On Mon, 2026-01-05 at 11:46 +0100, Toke Høiland-Jørgensen wrote:
> KaFai Wan <kafai.wan@xxxxxxxxx> writes:
>
> > This fix reverts to the original version and ensures data_hard_start
> > correctly points to the xdp_frame structure, eliminating the security
> > risk.
>
> This is wrong. We should just be checking the meta_len on input to
> account for the size of xdp_frame. I'll send a patch.
Current version the actual limit of the max input meta_len for live frames is
XDP_PACKET_HEADROOM - sizeof(struct xdp_frame), not XDP_PACKET_HEADROOM.
The original version not set xdp_buff->data_hard_start with xdp_frame,
I set it with the correct position by adding the headroom, so there is no need
for user to reduce the max input meta_len.
This patch is failed with the xdp_do_redirect test, I'll fix and send v2 if
you're ok with that.
>
> -Toke
>
--
Thanks,
KaFai