Re: [PATCH bpf-next 1/2] bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES

Next message: Daniel Golle: "[PATCH net-next v2 1/5] net: phy: realtek: fix whitespace in struct phy_driver initializers"
Previous message: David Hildenbrand (Red Hat): "Re: [PATCH v3 2/6] mm: khugepaged: refine scan progress number"
In reply to: KaFai Wan: "Re: [PATCH bpf-next 1/2] bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES"
Next in thread: KaFai Wan: "Re: [PATCH bpf-next 1/2] bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Toke Høiland-Jørgensen

Date: Mon Jan 05 2026 - 11:50:53 EST

KaFai Wan <kafai.wan@xxxxxxxxx> writes:

> On Mon, 2026-01-05 at 11:46 +0100, Toke Høiland-Jørgensen wrote:
>> KaFai Wan <kafai.wan@xxxxxxxxx> writes:
>>
>> > This fix reverts to the original version and ensures data_hard_start
>> > correctly points to the xdp_frame structure, eliminating the security
>> > risk.
>>
>> This is wrong. We should just be checking the meta_len on input to
>> account for the size of xdp_frame. I'll send a patch.
>
> Current version the actual limit of the max input meta_len for live frames is
> XDP_PACKET_HEADROOM - sizeof(struct xdp_frame), not
> XDP_PACKET_HEADROOM.

By "current version", you mean the patch I sent[0], right?

If so, that was deliberate: the stack limits the maximum data_meta size
to XDP_PACKET_HEADROOM - sizeof(struct xdp_frame), so there's no reason
not to do the same for bpf_prog_run(). And some chance that diverging
here will end up surfacing other bugs down the line.

-Toke

[0] https://lore.kernel.org/r/20260105114747.1358750-1-toke@xxxxxxxxxx