xsk: fix an integer overflow in xp_create_and_assign_umem()

Gavrilov Ilia · Paolo Abeni · commit 559847f56769 · 2025-03-19T22:57:04.000+01:00
Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 94033cd ("xsk: Optimize for aligned case") Cc: stable@vger.kernel.org Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru> Link: https://patch.msgid.link/20250313085007.3116044-1-Ilia.Gavrilov@infotecs.ru Signed-off-by: Paolo Abeni <pabeni@redhat.com>
diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
@@ -105,7 +105,7 @@ struct xsk_buff_pool *xp_create_and_assign_umem(struct xdp_sock *xs,
 		if (pool->unaligned)
 			pool->free_heads[i] = xskb;
 		else
-			xp_init_xskb_addr(xskb, pool, i * pool->chunk_size);
+			xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size);
 	}
 
 	return pool;

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ struct xsk_buff_pool xp_create_and_assign_umem(struct xdp_sock xs,`
`105`	`105`	`if (pool->unaligned)`
`106`	`106`	`pool->free_heads[i] = xskb;`
`107`	`107`	`else`
`108`		`- xp_init_xskb_addr(xskb, pool, i * pool->chunk_size);`
	`108`	`+ xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size);`
`109`	`109`	`}`
`110`	`110`
`111`	`111`	`return pool;`