diff options
author | Xu Kuohai <xukuohai@huawei.com> | 2022-11-11 13:56:20 +0100 |
---|---|---|
committer | Andrii Nakryiko <andrii@kernel.org> | 2022-11-11 21:35:07 +0100 |
commit | 1f6e04a1c7b85da3b765ca9f46029e5d1826d839 (patch) | |
tree | d235618bfd0d5f48ae0336a3a2920db26c4e00a6 /include | |
parent | bpf: Initialize same number of free nodes for each pcpu_freelist (diff) | |
download | linux-1f6e04a1c7b85da3b765ca9f46029e5d1826d839.tar.xz linux-1f6e04a1c7b85da3b765ca9f46029e5d1826d839.zip |
bpf: Fix offset calculation error in __copy_map_value and zero_map_value
Function __copy_map_value and zero_map_value miscalculated copy offset,
resulting in possible copy of unwanted data to user or kernel.
Fix it.
Fixes: cc48755808c6 ("bpf: Add zero_map_value to zero map value with special fields")
Fixes: 4d7d7f69f4b1 ("bpf: Adapt copy_map_value for multiple offset case")
Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/bpf/20221111125620.754855-1-xukuohai@huaweicloud.com
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/bpf.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 74c6f449d81e..c1bd1bd10506 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -315,7 +315,7 @@ static inline void __copy_map_value(struct bpf_map *map, void *dst, void *src, b u32 next_off = map->off_arr->field_off[i]; memcpy(dst + curr_off, src + curr_off, next_off - curr_off); - curr_off += map->off_arr->field_sz[i]; + curr_off = next_off + map->off_arr->field_sz[i]; } memcpy(dst + curr_off, src + curr_off, map->value_size - curr_off); } @@ -344,7 +344,7 @@ static inline void zero_map_value(struct bpf_map *map, void *dst) u32 next_off = map->off_arr->field_off[i]; memset(dst + curr_off, 0, next_off - curr_off); - curr_off += map->off_arr->field_sz[i]; + curr_off = next_off + map->off_arr->field_sz[i]; } memset(dst + curr_off, 0, map->value_size - curr_off); } |