[PATCH 5.18 0503/1095] bpf: Fix bpf_xdp_pointer return pointer

Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 15 Aug 2022 19:58:22 +0200

From: Joanne Koong <joannelkoong@xxxxxxxxx>

[ Upstream commit bbd52178e249fe893ef4a9b87cde5b6c473b0a7c ]

For the case where offset + len == size, bpf_xdp_pointer should return a
valid pointer to the addr because that access is permitted. We should
only return NULL in the case where offset + len exceeds size.

Fixes: 3f364222d032 ("net: xdp: introduce bpf_xdp_pointer utility routine")
Signed-off-by: Joanne Koong <joannelkoong@xxxxxxxxx>
Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Acked-by: Martin KaFai Lau <kafai@xxxxxx>
Acked-by: Lorenzo Bianconi <lorenzo@xxxxxxxxxx>
Link: https://lore.kernel.org/bpf/20220722220105.2065466-1-joannelkoong@xxxxxxxxx
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
 net/core/filter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 5db4fae23925..a98f34cb5aee 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3917,7 +3917,7 @@ static void *bpf_xdp_pointer(struct xdp_buff *xdp, u32 offset, u32 len)
 		offset -= frag_size;
 	}
 out:
-	return offset + len < size ? addr + offset : NULL;
+	return offset + len <= size ? addr + offset : NULL;
 }
 
 BPF_CALL_4(bpf_xdp_load_bytes, struct xdp_buff *, xdp, u32, offset,
-- 
2.35.1









