bpf: Fix offset calculation error in __copy_map_value and zero_map_value

Function __copy_map_value and zero_map_value miscalculated copy offset,
resulting in possible copy of unwanted data to user or kernel.

Fix it.

Fixes: cc48755808c6 ("bpf: Add zero_map_value to zero map value with special fields")
Fixes: 4d7d7f69f4b1 ("bpf: Adapt copy_map_value for multiple offset case")
Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/bpf/20221111125620.754855-1-xukuohai@huaweicloud.com

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 74c6f44..c1bd1bd 100644 (file)
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -315,7 +315,7 @@ static inline void __copy_map_value(struct bpf_map *map, void *dst, void *src, b
                u32 next_off = map->off_arr->field_off[i];
 
                memcpy(dst + curr_off, src + curr_off, next_off - curr_off);
-               curr_off += map->off_arr->field_sz[i];
+               curr_off = next_off + map->off_arr->field_sz[i];
        }
        memcpy(dst + curr_off, src + curr_off, map->value_size - curr_off);
 }
@@ -344,7 +344,7 @@ static inline void zero_map_value(struct bpf_map *map, void *dst)
                u32 next_off = map->off_arr->field_off[i];
 
                memset(dst + curr_off, 0, next_off - curr_off);
-               curr_off += map->off_arr->field_sz[i];
+               curr_off = next_off + map->off_arr->field_sz[i];
        }
        memset(dst + curr_off, 0, map->value_size - curr_off);
 }