Avoid clearing xdp_frame area if this was already done by prevous
invocations of bpf_xdp_adjust_head.
The xdp_adjust_head helper can be called multiple times by the
bpf_prog. If increasing the packet header size (with a negative
offset), kernel must assume bpf_prog store valuable information here,
and not clear this information.
In case of extending header into xdp_frame area the kernel clear this
area to avoid any info leaking.
The bug in the current implementation is that if existing xdp->data
pointer have already been moved into xdp_frame area, then memory is
cleared between new-data pointer and xdp_frame-end, which covers an
area that might contain information store by BPF-prog (as curr
xdp->data lays between those pointers).
Fixes: 6dfb970d3dbd ("xdp: avoid leaking info stored in frame data on page
reuse")
Signed-off-by: Jesper Dangaard Brouer <bro...@redhat.com>
---
net/core/filter.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index a374b8560bc4..15e9b5477360 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2705,6 +2705,13 @@ BPF_CALL_2(bpf_xdp_adjust_head, struct xdp_buff *, xdp,
int, offset)
if (data < xdp_frame_end) {
unsigned long clearlen = xdp_frame_end - data;
+ /* Handle if prev call adjusted xdp->data into xdp_frame area */
+ if (unlikely(xdp->data < xdp_frame_end)) {
+ if (data < xdp->data)
+ clearlen = xdp->data - data;
+ else
+ clearlen = 0;
+ }
memset(data, 0, clearlen);
}
