[PATCH 5.4 003/118] xsk: Fix out of boundary write in __xsk_rcv_memcpy

From: Greg Kroah-Hartman
Date: Wed Apr 22 2020 - 06:46:16 EST


From: Li RongQing <lirongqing@xxxxxxxxx>

commit db5c97f02373917efe2c218ebf8e3d8b19e343b6 upstream.

first_len is the remainder of the first page we're copying.
If this size is larger, then out of page boundary write will
otherwise happen.

Fixes: c05cd3645814 ("xsk: add support to allow unaligned chunk placement")
Signed-off-by: Li RongQing <lirongqing@xxxxxxxxx>
Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Acked-by: Jonathan Lemon <jonathan.lemon@xxxxxxxxx>
Acked-by: BjÃrn TÃpel <bjorn.topel@xxxxxxxxx>
Link: https://lore.kernel.org/bpf/1585813930-19712-1-git-send-email-lirongqing@xxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
net/xdp/xsk.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -129,8 +129,9 @@ static void __xsk_rcv_memcpy(struct xdp_
u64 page_start = addr & ~(PAGE_SIZE - 1);
u64 first_len = PAGE_SIZE - (addr - page_start);

- memcpy(to_buf, from_buf, first_len + metalen);
- memcpy(next_pg_addr, from_buf + first_len, len - first_len);
+ memcpy(to_buf, from_buf, first_len);
+ memcpy(next_pg_addr, from_buf + first_len,
+ len + metalen - first_len);

return;
}