[lvc-project] [PATCH net] xsk: Fix overflow in descriptor validation@@
Alexander Lobakin
aleksander.lobakin at intel.com
Mon Oct 6 18:19:42 MSK 2025
From: Ilia Gavrilov <Ilia.Gavrilov at infotecs.ru>
Date: Mon, 6 Oct 2025 08:53:17 +0000
> The desc->len value can be set up to U32_MAX. If umem tx_metadata_len
In theory. Never in practice.
> option is also set, then the value of the expression
> 'desc->len + pool->tx_metadata_len' can overflow and validation
> of the incorrect descriptor will be successfully passed.
> This can lead to a subsequent chain of arithmetic overflows
> in the xsk_build_skb() function and incorrect sk_buff allocation.
>
> Found by InfoTeCS on behalf of Linux Verification Center
> (linuxtesting.org) with SVACE.
I think the general rule for sending fixes is that a fix must fix a real
bug which can be reproduced in real life scenarios.
Static Analysis Tools have no idea that nobody sends 4 Gb sized network
packets.
>
> Fixes: 341ac980eab9 ("xsk: Support tx_metadata_len")
> Cc: stable at vger.kernel.org
> Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov at infotecs.ru>
> ---
> net/xdp/xsk_queue.h | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Thanks,
Olek
More information about the lvc-project
mailing list