tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
bpf: Do not dereference user pointer in bpf_test_finish().
Instead, pass the kattr in which has a kernel side copy of this
data structure from userspace already.
Fix based upon a suggestion from Alexei Starovoitov.
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+5
-4
+5
-4
net/bpf/test_run.c
+5
-4
net/bpf/test_run.c
···
49
49
return ret;
50
50
}
51
51
52
-
static int bpf_test_finish(union bpf_attr __user *uattr, const void *data,
52
+
static int bpf_test_finish(const union bpf_attr *kattr,
53
+
union bpf_attr __user *uattr, const void *data,
53
54
u32 size, u32 retval, u32 duration)
54
55
{
55
-
void __user *data_out = u64_to_user_ptr(uattr->test.data_out);
56
+
void __user *data_out = u64_to_user_ptr(kattr->test.data_out);
56
57
int err = -EFAULT;
57
58
58
59
if (data_out && copy_to_user(data_out, data, size))
···
141
140
/* bpf program can never convert linear skb to non-linear */
142
141
if (WARN_ON_ONCE(skb_is_nonlinear(skb)))
143
142
size = skb_headlen(skb);
144
-
ret = bpf_test_finish(uattr, skb->data, size, retval, duration);
143
+
ret = bpf_test_finish(kattr, uattr, skb->data, size, retval, duration);
145
144
kfree_skb(skb);
146
145
return ret;
147
146
}
···
167
166
retval = bpf_test_run(prog, &xdp, repeat, &duration);
168
167
if (xdp.data != data + XDP_PACKET_HEADROOM)
169
168
size = xdp.data_end - xdp.data;
170
-
ret = bpf_test_finish(uattr, xdp.data, size, retval, duration);
169
+
ret = bpf_test_finish(kattr, uattr, xdp.data, size, retval, duration);
171
170
kfree(data);
172
171
return ret;
173
172
}