[net-next,v3,30/33] xdp: clear grow memory in bpf_xdp_adjust_tail()

Message ID 158893627850.2321140.10204400330949821907.stgit@firesoul
State New
Headers show
Series
  • [net-next,v3,01/33] xdp: add frame size to xdp_buff
Related show

Commit Message

Jesper Dangaard Brouer May 8, 2020, 11:11 a.m.
Clearing memory of tail when grow happens, because it is too easy
to write a XDP_PASS program that extend the tail, which expose
this memory to users that can run tcpdump.

Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
 net/core/filter.c |    4 ++++
 1 file changed, 4 insertions(+)

Patch

diff --git a/net/core/filter.c b/net/core/filter.c
index ec3ab2e2d800..691235208e0b 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3427,6 +3427,10 @@  BPF_CALL_2(bpf_xdp_adjust_tail, struct xdp_buff *, xdp, int, offset)
 	if (unlikely(data_end < xdp->data + ETH_HLEN))
 		return -EINVAL;
 
+	/* Clear memory area on grow, can contain uninit kernel memory */
+	if (offset > 0)
+		memset(xdp->data_end, 0, offset);
+
 	xdp->data_end = data_end;
 
 	return 0;