Re: [PATCH bpf-next 1/2] bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES

Next message: Marc Zyngier: "Re: [PATCH] arm64: Kconfig: deprecate redundant ARM64_USE_LSE_ATOMICS"
Previous message: Lorenzo Stoakes: "Re: [PATCH 1/8] mm/rmap: improve anon_vma_clone(), unlink_anon_vmas() comments, add asserts"
In reply to: Toke H&#xF8;iland-J&#xF8;rgensen: "Re: [PATCH bpf-next 1/2] bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES"
Next in thread: KaFai Wan: "[PATCH bpf-next 2/2] selftests/bpf: Add test for xdp_md context with LIVE_FRAMES in BPF_PROG_TEST_RUN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: KaFai Wan

Date: Tue Jan 06 2026 - 08:54:25 EST

On Mon, 2026-01-05 at 17:43 +0100, Toke Høiland-Jørgensen wrote:
> KaFai Wan <kafai.wan@xxxxxxxxx> writes:
>
> > On Mon, 2026-01-05 at 11:46 +0100, Toke Høiland-Jørgensen wrote:
> > > KaFai Wan <kafai.wan@xxxxxxxxx> writes:
> > >
> > > > This fix reverts to the original version and ensures data_hard_start
> > > > correctly points to the xdp_frame structure, eliminating the security
> > > > risk.
> > >
> > > This is wrong. We should just be checking the meta_len on input to
> > > account for the size of xdp_frame. I'll send a patch.
> >
> > Current version the actual limit of the max input meta_len for live frames is
> > XDP_PACKET_HEADROOM - sizeof(struct xdp_frame), not
> > XDP_PACKET_HEADROOM.
>
> By "current version", you mean the patch I sent[0], right?
>
> If so, that was deliberate: the stack limits the maximum data_meta size
> to XDP_PACKET_HEADROOM - sizeof(struct xdp_frame), so there's no reason
> not to do the same for bpf_prog_run(). And some chance that diverging
> here will end up surfacing other bugs down the line.
>
Oh, I see. Thank you for your explanation.
> -Toke
>
> [0] https://lore.kernel.org/r/20260105114747.1358750-1-toke@xxxxxxxxxx
>

--
Thanks,
KaFai