xdp: Clear grow memory in bpf_xdp_adjust_tail()

Clearing memory of tail when grow happens, because it is too easy to write a XDP_PASS program that extend the tail, which expose this memory to users that can run tcpdump. Signed-off-by: N Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: N Alexei Starovoitov <ast@kernel.org> Acked-by: N Toke Høiland-Jørgensen <toke@redhat.com> Link: https://lore.kernel.org/bpf/158945349039.97035.5262100484553494.stgit@firesoul

xdp: Clear grow memory in bpf_xdp_adjust_tail()
Clearing memory of tail when grow happens, because it is too easy to write a XDP_PASS program that extend the tail, which expose this memory to users that can run tcpdump. Signed-off-by: N Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: N Alexei Starovoitov <ast@kernel.org> Acked-by: N Toke Høiland-Jørgensen <toke@redhat.com> Link: https://lore.kernel.org/bpf/158945349039.97035.5262100484553494.stgit@firesoul
ddb47d51 · Jesper Dangaard Brouer · Alexei Starovoitov · c8741e2b · ddb47d51
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

net/core/filter.c net/core/filter.c +4 -0

未找到文件。
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3427,6 +3427,10 @@ BPF_CALL_2(bpf_xdp_adjust_tail, struct xdp_buff *, xdp, int, offset)
 	if (unlikely(data_end < xdp->data + ETH_HLEN))
 		return -EINVAL;
+	/* Clear memory area on grow, can contain uninit kernel memory */
+	if (offset > 0)
+		memset(xdp->data_end, 0, offset);
 	xdp->data_end = data_end;
 	return 0;