From: Ilia Gavrilov Ilia.Gavrilov@infotecs.ru Date: Mon, 6 Oct 2025 08:53:17 +0000
The desc->len value can be set up to U32_MAX. If umem tx_metadata_len
In theory. Never in practice.
option is also set, then the value of the expression 'desc->len + pool->tx_metadata_len' can overflow and validation of the incorrect descriptor will be successfully passed. This can lead to a subsequent chain of arithmetic overflows in the xsk_build_skb() function and incorrect sk_buff allocation.
Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.
I think the general rule for sending fixes is that a fix must fix a real bug which can be reproduced in real life scenarios. Static Analysis Tools have no idea that nobody sends 4 Gb sized network packets.
Fixes: 341ac980eab9 ("xsk: Support tx_metadata_len") Cc: stable@vger.kernel.org Signed-off-by: Ilia Gavrilov Ilia.Gavrilov@infotecs.ru
net/xdp/xsk_queue.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Thanks, Olek