Hi,
Jordy reported that for big enough XSKMAPs and DEVMAPs, when deleting
elements, OOB writes occur.
Reproducer below:
// compile with gcc -o map_poc map_poc.c -lbpf
#include <errno.h>
#include <linux/bpf.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>
int main() {
// Create a large enough BPF XSK map
int map_fd;
union bpf_attr create_attr = {
.map_type = BPF_MAP_TYPE_XSKMAP,
.key_size = sizeof(int),
.value_size = sizeof(int),
.max_entries = 0x80000000 + 2,
};
map_fd = syscall(SYS_bpf, BPF_MAP_CREATE, &create_attr, sizeof(create_attr));
if (map_fd < 0) {
fprintf(stderr, "Failed to create BPF map: %s\n", strerror(errno));
return 1;
}
// Delete an element from the map using syscall
unsigned int key = 0x80000000 + 1;
if (syscall(SYS_bpf, BPF_MAP_DELETE_ELEM,
&(union bpf_attr){
.map_fd = map_fd,
.key = &key,
},
sizeof(union bpf_attr)) < 0) {
fprintf(stderr, "Failed to delete element from BPF map: %s\n",
strerror(errno));
return 1;
}
close(map_fd);
return 0;
}
This tiny series changes data types from int to u32 of keys being used
for map accesses.
Thanks,
Maciej
Maciej Fijalkowski (2):
xsk: fix OOB map writes when deleting elements
bpf: fix OOB devmap writes when deleting elements
kernel/bpf/devmap.c | 6 +++---
net/xdp/xskmap.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--
2.34.1
