1. Patchew
  2. QEMU
  3. View series

[PATCH] net: fix buffer overflow in af_xdp_umem_create()

Anastasia Belova posted 1 patch 5 months, 2 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20250602085719.5058-1-nabelova31@gmail.com
Maintainers: Ilya Maximets <i.maximets@ovn.org>, Jason Wang <jasowang@redhat.com>
net/af-xdp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] net: fix buffer overflow in af_xdp_umem_create()
Posted by Anastasia Belova 5 months, 2 weeks ago 
s->pool has n_descs elements so maximum i should be
n_descs - 1. Fix the upper bound.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: cb039ef3d9 ("net: add initial support for AF_XDP network backend")
Signed-off-by: Anastasia Belova <nabelova31@gmail.com>
---
 net/af-xdp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/af-xdp.c b/net/af-xdp.c
index 01c5fb914e..d022534d76 100644
--- a/net/af-xdp.c
+++ b/net/af-xdp.c
@@ -323,7 +323,7 @@ static int af_xdp_umem_create(AFXDPState *s, int sock_fd, Error **errp)
 
     s->pool = g_new(uint64_t, n_descs);
     /* Fill the pool in the opposite order, because it's a LIFO queue. */
-    for (i = n_descs; i >= 0; i--) {
+    for (i = n_descs - 1; i >= 0; i--) {
         s->pool[i] = i * XSK_UMEM__DEFAULT_FRAME_SIZE;
     }
     s->n_pool = n_descs;
-- 
2.47.0
Re: [PATCH] net: fix buffer overflow in af_xdp_umem_create()
Posted by Jason Wang 5 months, 2 weeks ago 
On Mon, Jun 2, 2025 at 4:57 PM Anastasia Belova <nabelova31@gmail.com> wrote:
>
> s->pool has n_descs elements so maximum i should be
> n_descs - 1. Fix the upper bound.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: cb039ef3d9 ("net: add initial support for AF_XDP network backend")
> Signed-off-by: Anastasia Belova <nabelova31@gmail.com>
> ---
>  net/af-xdp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/af-xdp.c b/net/af-xdp.c
> index 01c5fb914e..d022534d76 100644
> --- a/net/af-xdp.c
> +++ b/net/af-xdp.c
> @@ -323,7 +323,7 @@ static int af_xdp_umem_create(AFXDPState *s, int sock_fd, Error **errp)
>
>      s->pool = g_new(uint64_t, n_descs);
>      /* Fill the pool in the opposite order, because it's a LIFO queue. */
> -    for (i = n_descs; i >= 0; i--) {
> +    for (i = n_descs - 1; i >= 0; i--) {
>          s->pool[i] = i * XSK_UMEM__DEFAULT_FRAME_SIZE;
>      }
>      s->n_pool = n_descs;
> --
> 2.47.0
>

Queued.

Thanks
Re: [PATCH] net: fix buffer overflow in af_xdp_umem_create()
Posted by Ilya Maximets 5 months, 2 weeks ago 
On 6/2/25 10:57 AM, Anastasia Belova wrote:
> s->pool has n_descs elements so maximum i should be
> n_descs - 1. Fix the upper bound.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: cb039ef3d9 ("net: add initial support for AF_XDP network backend")
> Signed-off-by: Anastasia Belova <nabelova31@gmail.com>
> ---
>  net/af-xdp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/af-xdp.c b/net/af-xdp.c
> index 01c5fb914e..d022534d76 100644
> --- a/net/af-xdp.c
> +++ b/net/af-xdp.c
> @@ -323,7 +323,7 @@ static int af_xdp_umem_create(AFXDPState *s, int sock_fd, Error **errp)
>  
>      s->pool = g_new(uint64_t, n_descs);
>      /* Fill the pool in the opposite order, because it's a LIFO queue. */
> -    for (i = n_descs; i >= 0; i--) {
> +    for (i = n_descs - 1; i >= 0; i--) {
>          s->pool[i] = i * XSK_UMEM__DEFAULT_FRAME_SIZE;
>      }
>      s->n_pool = n_descs;

As far as the fix goes:

Reviewed-by: Ilya Maximets <i.maximets@ovn.org>


The loop itself though doesn't do what the comment says it should be doing,
but it's not related to this fix.  I'll send a separate patch for that.
Re: [PATCH] net: fix buffer overflow in af_xdp_umem_create()
Posted by Michael Tokarev 4 months ago 
Ping?

Thanks,

/mjt

On 02.06.2025 13:09, Ilya Maximets wrote:
> On 6/2/25 10:57 AM, Anastasia Belova wrote:
>> s->pool has n_descs elements so maximum i should be
>> n_descs - 1. Fix the upper bound.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Fixes: cb039ef3d9 ("net: add initial support for AF_XDP network backend")
>> Signed-off-by: Anastasia Belova <nabelova31@gmail.com>
>> ---
>>   net/af-xdp.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/net/af-xdp.c b/net/af-xdp.c
>> index 01c5fb914e..d022534d76 100644
>> --- a/net/af-xdp.c
>> +++ b/net/af-xdp.c
>> @@ -323,7 +323,7 @@ static int af_xdp_umem_create(AFXDPState *s, int sock_fd, Error **errp)
>>   
>>       s->pool = g_new(uint64_t, n_descs);
>>       /* Fill the pool in the opposite order, because it's a LIFO queue. */
>> -    for (i = n_descs; i >= 0; i--) {
>> +    for (i = n_descs - 1; i >= 0; i--) {
>>           s->pool[i] = i * XSK_UMEM__DEFAULT_FRAME_SIZE;
>>       }
>>       s->n_pool = n_descs;
> 
> As far as the fix goes:
> 
> Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
> 
> The loop itself though doesn't do what the comment says it should be doing,
> but it's not related to this fix.  I'll send a separate patch for that.
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.