summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJesper Dangaard Brouer <brouer@redhat.com>2020-05-14 12:51:30 +0200
committerAlexei Starovoitov <ast@kernel.org>2020-05-14 21:21:56 -0700
commitddb47d518ca10948d1f64a983cb9274720f691cd (patch)
tree0cf318eef490d4bc486d0eeae7604cd6a660f8ab
parentc8741e2bfe872425ea6f10bb6f7dc1d67bc60c3a (diff)
downloadlinux-ddb47d518ca10948d1f64a983cb9274720f691cd.tar.bz2
xdp: Clear grow memory in bpf_xdp_adjust_tail()
Clearing memory of tail when grow happens, because it is too easy to write a XDP_PASS program that extend the tail, which expose this memory to users that can run tcpdump. Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Toke Høiland-Jørgensen <toke@redhat.com> Link: https://lore.kernel.org/bpf/158945349039.97035.5262100484553494.stgit@firesoul
-rw-r--r--net/core/filter.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/net/core/filter.c b/net/core/filter.c
index e7b033dad44e..a85eb538d4d6 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3427,6 +3427,10 @@ BPF_CALL_2(bpf_xdp_adjust_tail, struct xdp_buff *, xdp, int, offset)
if (unlikely(data_end < xdp->data + ETH_HLEN))
return -EINVAL;
+ /* Clear memory area on grow, can contain uninit kernel memory */
+ if (offset > 0)
+ memset(xdp->data_end, 0, offset);
+
xdp->data_end = data_end;
return 0;