xsk: fix an integer overflow in xp_create_and_assign_umem()

fmaurer-rh · fmaurer-rh · commit 09717e108192 · 2025-07-29T13:47:51.000+02:00
JIRA: https://issues.redhat.com/browse/RHEL-96605 JIRA: https://issues.redhat.com/browse/RHEL-87917 CVE: CVE-2025-21997 commit 559847f Author: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> Date: Thu Mar 13 08:50:08 2025 +0000 xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 94033cd ("xsk: Optimize for aligned case") Cc: stable@vger.kernel.org Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru> Link: https://patch.msgid.link/20250313085007.3116044-1-Ilia.Gavrilov@infotecs.ru Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Felix Maurer <fmaurer@redhat.com>
diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
@@ -106,7 +106,7 @@ struct xsk_buff_pool *xp_create_and_assign_umem(struct xdp_sock *xs,
 		if (pool->unaligned)
 			pool->free_heads[i] = xskb;
 		else
-			xp_init_xskb_addr(xskb, pool, i * pool->chunk_size);
+			xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size);
 	}
 
 	return pool;

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ struct xsk_buff_pool xp_create_and_assign_umem(struct xdp_sock xs,`
`106`	`106`	`if (pool->unaligned)`
`107`	`107`	`pool->free_heads[i] = xskb;`
`108`	`108`	`else`
`109`		`- xp_init_xskb_addr(xskb, pool, i * pool->chunk_size);`
	`109`	`+ xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size);`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`return pool;`