xsk: fix an integer overflow in xp_create_and_assign_umem()

Gavrilov Ilia · gregkh · commit 205649d642a5 · 2025-03-28T21:59:01.000+01:00
commit 559847f56769037e5b2e0474d3dbff985b98083d upstream. Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 94033cd ("xsk: Optimize for aligned case") Cc: stable@vger.kernel.org Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru> Link: https://patch.msgid.link/20250313085007.3116044-1-Ilia.Gavrilov@infotecs.ru Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
@@ -102,7 +102,7 @@ struct xsk_buff_pool *xp_create_and_assign_umem(struct xdp_sock *xs,
 		if (pool->unaligned)
 			pool->free_heads[i] = xskb;
 		else
-			xp_init_xskb_addr(xskb, pool, i * pool->chunk_size);
+			xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size);
 	}
 
 	return pool;

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ struct xsk_buff_pool xp_create_and_assign_umem(struct xdp_sock xs,`
`102`	`102`	`if (pool->unaligned)`
`103`	`103`	`pool->free_heads[i] = xskb;`
`104`	`104`	`else`
`105`		`- xp_init_xskb_addr(xskb, pool, i * pool->chunk_size);`
	`105`	`+ xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size);`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`return pool;`