Bug 207225
Summary: | Malformed headroom in umem request of XDP socket could lead to out of bound write | ||
---|---|---|---|
Product: | Networking | Reporter: | Bùi Quang Minh (minhquangbui99) |
Component: | Other | Assignee: | Stephen Hemminger (stephen) |
Status: | RESOLVED PATCH_ALREADY_AVAILABLE | ||
Severity: | low | CC: | minhquangbui99 |
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 5.5.11, 5.5.17, 5.7-rc1 | Subsystem: | |
Regression: | No | Bisected commit-id: | |
Attachments: | POC registers malformed headroom in umem registration |
Created attachment 288417 [details] POC registers malformed headroom in umem registration - When user calls setsockopt to register umem ring on XDP socket, the headroom can be a big unsigned 32 bit number, which leads to + This check in xdp_umem_reg function (net/xdp/xdp_umem.c) is bypassed size_chk = chunk_size - headroom - XDP_PACKET_HEADROOM; if (size_chk < 0) return -EINVAL; + This initialization in the same function, the chunk_size_nohr becomes larger than actual size umem->chunk_size_nohr = chunk_size - headroom; - Consequence: I see that the chunk_size_nohr is used to check that the xdp_buff can fit into the chunk in xsk receive functions; with this malformed chunk_size_nohr, we can put a larger than chunk size xdp_buff to chunk, leads to an out of bound write. However, I research some more and find that to trigger to receive functions, we must redirect the packets from XDP program using xskmap which requires CAP_NET_ADMIN capability, which makes this very low impact. - Unfortunately, I cannot trigger xsk receive functions (I am new to Linux kernel) due to some error when binding XDP program to an interface. I can only prove the register side, the initialization of chunk_size_nohr via debugging. I attached the POC of malformed headroom umem register below, which I tested on kernel 5.5.11. The POC needs to be run with root privilege (or a user with CAP_NET_RAW, this could be achieve with new user namespace on kernel with CONFIG_USER_NS=y, however, as far as I know, next phases when allocate xskmap, CAP_NET_ADMIN is required and user namespace is not permitted). Thank you very much for reviewing this report