Bug 207225

Created attachment 288417 [details]
POC registers malformed headroom in umem registration

- When user calls setsockopt to register umem ring on XDP socket, the headroom can be a big unsigned 32 bit number, which leads to
   + This check in xdp_umem_reg function (net/xdp/xdp_umem.c) is bypassed
   size_chk = chunk_size - headroom - XDP_PACKET_HEADROOM;
   if (size_chk < 0)
	return -EINVAL;
   + This initialization in the same function, the chunk_size_nohr becomes larger than actual size
   umem->chunk_size_nohr = chunk_size - headroom; 

- Consequence: I see that the chunk_size_nohr is used to check that the xdp_buff can fit into the chunk in xsk receive functions; with this malformed chunk_size_nohr, we can put a larger than chunk size xdp_buff to chunk, leads to an out of bound write. However, I research some more and find that to trigger to receive functions, we must redirect the packets from XDP program using xskmap which requires CAP_NET_ADMIN capability, which makes this very low impact.

- Unfortunately, I cannot trigger xsk receive functions (I am new to Linux kernel) due to some error when binding XDP program to an interface. I can only prove the register side, the initialization of chunk_size_nohr via debugging. I attached the POC of malformed headroom umem register below, which I tested on kernel 5.5.11. The POC needs to be run with root privilege (or a user with CAP_NET_RAW, this could be achieve with new user namespace on kernel with CONFIG_USER_NS=y, however, as far as I know, next phases when allocate xskmap, CAP_NET_ADMIN is required and user namespace is not permitted).

Thank you very much for reviewing this report