Commit 1f6e04a1 authored by Xu Kuohai's avatar Xu Kuohai Committed by Andrii Nakryiko

bpf: Fix offset calculation error in __copy_map_value and zero_map_value

Function __copy_map_value and zero_map_value miscalculated copy offset,
resulting in possible copy of unwanted data to user or kernel.

Fix it.

Fixes: cc487558 ("bpf: Add zero_map_value to zero map value with special fields")
Fixes: 4d7d7f69 ("bpf: Adapt copy_map_value for multiple offset case")
Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Acked-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/bpf/20221111125620.754855-1-xukuohai@huaweicloud.com
parent 4b45cd81
...@@ -315,7 +315,7 @@ static inline void __copy_map_value(struct bpf_map *map, void *dst, void *src, b ...@@ -315,7 +315,7 @@ static inline void __copy_map_value(struct bpf_map *map, void *dst, void *src, b
u32 next_off = map->off_arr->field_off[i]; u32 next_off = map->off_arr->field_off[i];
memcpy(dst + curr_off, src + curr_off, next_off - curr_off); memcpy(dst + curr_off, src + curr_off, next_off - curr_off);
curr_off += map->off_arr->field_sz[i]; curr_off = next_off + map->off_arr->field_sz[i];
} }
memcpy(dst + curr_off, src + curr_off, map->value_size - curr_off); memcpy(dst + curr_off, src + curr_off, map->value_size - curr_off);
} }
...@@ -344,7 +344,7 @@ static inline void zero_map_value(struct bpf_map *map, void *dst) ...@@ -344,7 +344,7 @@ static inline void zero_map_value(struct bpf_map *map, void *dst)
u32 next_off = map->off_arr->field_off[i]; u32 next_off = map->off_arr->field_off[i];
memset(dst + curr_off, 0, next_off - curr_off); memset(dst + curr_off, 0, next_off - curr_off);
curr_off += map->off_arr->field_sz[i]; curr_off = next_off + map->off_arr->field_sz[i];
} }
memset(dst + curr_off, 0, map->value_size - curr_off); memset(dst + curr_off, 0, map->value_size - curr_off);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment