Skip to content

bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES #10604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kernel-patches-daemon-bpf wants to merge 2 commits into from
Closed

bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES #10604

kernel-patches-daemon-bpf wants to merge 2 commits into from
+39 −15

Conversation

@kernel-patches-daemon-bpf
Copy link

@kernel-patches-daemon-bpf kernel-patches-daemon-bpf bot commented Jan 4, 2026

Pull request for series with
subject: bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1038237

@kernel-patches-daemon-bpf
Copy link
Author

kernel-patches-daemon-bpf bot commented Jan 4, 2026

Upstream branch: a069190
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1038237
version: 1

@kernel-patches-daemon-bpf
Copy link
Author

kernel-patches-daemon-bpf bot commented Jan 6, 2026

Upstream branch: ea180ff
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1038237
version: 1

@mannkafai
bpf, test_run: Fix user-memory-access vulnerability for LIVE_FRAMES
4071821 
When testing XDP programs with LIVE_FRAMES mode, if the metalen is set
to >= (XDP_PACKET_HEADROOM - sizeof(struct xdp_frame)), there won't be
enough space for the xdp_frame conversion in xdp_update_frame_from_buff().
Additionally, the xdp_frame structure may be filled with user-provided data,
which can lead to a memory access vulnerability when converting to skb.

This fix reverts to the original version and ensures data_hard_start
correctly points to the xdp_frame structure, eliminating the security risk.

Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
Fixes: 294635a ("bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES")
Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
@mannkafai
selftests/bpf: Add test for xdp_md context with LIVE_FRAMES in BPF_PR…
f715586 
…OG_TEST_RUN

Add a test case uses xdp_md as context parameter for BPF_PROG_TEST_RUN
with LIVE_FRAMES flag. The test ensures that potential user-memory-access
vulnerabilities are properly prevented.

Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
@kernel-patches-daemon-bpf
Copy link
Author

kernel-patches-daemon-bpf bot commented Jan 6, 2026

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1038237 expired. Closing PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bpf-next changes-requested V1-ci-fail V1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mannkafai