Commit 559847f5 authored Mar 13, 2025 by Gavrilov Ilia Committed by Paolo Abeni Mar 19, 2025

xsk: fix an integer overflow in xp_create_and_assign_umem()



Since the i and pool->chunk_size variables are of type 'u32',
their product can wrap around and then be cast to 'u64'.
This can lead to two different XDP buffers pointing to the same
memory area.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: 94033cd8 ("xsk: Optimize for aligned case")
Cc: stable@vger.kernel.org
Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
Link: https://patch.msgid.link/20250313085007.3116044-1-Ilia.Gavrilov@infotecs.ru


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent a0aff75e

net/xdp/xsk_buff_pool.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -105,7 +105,7 @@ struct xsk_buff_pool xp_create_and_assign_umem(struct xdp_sock xs,
		if (pool->unaligned)
		pool->free_heads[i] = xskb;
		else
		xp_init_xskb_addr(xskb, pool, i * pool->chunk_size);
		xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size);
		}

		return pool;