[PATCH bpf-next v3 0/2] bpf: Align syscall writeback behavior with user-declared size

[PATCH bpf-next v3 0/2] bpf: Align syscall writeback behavior with user-declared size

[Yuyang Huang]

This series fixes an out-of-bounds write vulnerability in BPF_PROG_QUERY
while maintaining backward compatibility for older userspace applications.

BPF_PROG_QUERY unconditionally writes back the 'query.revision' field
to userspace. If userspace passes a smaller 'bpf_attr' structure (e.g. 40
bytes, which was the cgroup query layout before 'query.revision' was
added), the kernel performs an out-of-bounds write.

We address this by propagating the user-provided 'uattr_size' down to
the cgroup query handlers and conditionally skipping the write-back of
'query.revision' if the buffer is too small. This allows legacy cgroup
queries to succeed safely.

tcx and netkit queries are left unchanged since they were introduced in
the same merge window as 'query.revision' and have no legacy callers.

Finally, we add a selftest to verify these boundary behaviors.

Changes since v2:
- Propagate uattr_size to __cgroup_bpf_query() and conditionally write
  revision (instead of unconditionally rejecting smaller sizes in front-gate).
- Update BPF selftests to verify that cgroup queries succeed with
  OLD_QUERY_SIZE without writing revision, and succeed with FULL_QUERY_SIZE.
- Remove early size checks in the front-gate to keep the patch minimal.

Changes since v1:
- Simplify the kernel fix to checking the size only in bpf_prog_query().
- Revert all other subsystem query plumbing changes.
- Update BPF selftest to target BPF_CGROUP_INET_INGRESS cgroup query, and
  add verification for attr size boundaries.

Yuyang Huang (2):
  bpf: fix BPF_PROG_QUERY OOB write and cgroup backward compat
  selftests/bpf: add verification for BPF_PROG_QUERY attr size
    boundaries

 include/linux/bpf-cgroup.h                    |  5 +-
 kernel/bpf/cgroup.c                           | 13 ++--
 kernel/bpf/syscall.c                          |  6 +-
 .../selftests/bpf/prog_tests/bpf_attr_size.c  | 69 +++++++++++++++++++
 4 files changed, 82 insertions(+), 11 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c

-- 
2.54.0.823.g6e5bcc1fc9-goog

[PATCH bpf-next v3 1/2] bpf: fix BPF_PROG_QUERY OOB write and cgroup backward compat

[Yuyang Huang]

BPF_PROG_QUERY writes back the 'query.revision' field unconditionally to
userspace. If userspace passes a smaller 'bpf_attr' structure (e.g. 40
bytes, which was the layout before the addition of 'query.revision'),
the kernel performs an out-of-bounds write.

Fix this by propagating the user-provided attribute size 'uattr_size'
down to the cgroup query handlers, and conditionally skipping writing
the revision field to userspace when the provided buffer size is
insufficient.

query.revision in bpf_mprog_query is structurally identical to the
cgroup case: a late tail field, written unconditionally.

But the backward-compat hazard is not the same.

The min-historical-size test is per command, and bpf_mprog_query only
serves attach types that were born with revision in the struct:

- tcx_prog_query -> BPF_TCX_INGRESS/EGRESS
- netkit_prog_query -> BPF_NETKIT_PRIMARY/PEER

tcx, netkit, the revision field, and bpf_mprog_query itself all landed in
the same v6.6 merge window (053c8e1f235d added the mprog query API +
revision; tcx in e420bed02507, netkit in 35dfaad7188c). There has never
been a tcx/netkit BPF_PROG_QUERY userspace that doesn't know about
revision. So for these commands the minimum legitimate struct already
covers offset 56-64 — no old binary can be broken here.

Contrast with cgroup: BPF_PROG_QUERY on cgroup attach types shipped in
2017; revision write-back was bolted on years later (120933984460). That
path has a real population of pre-revision callers.

Fixes: 120933984460 ("bpf: Implement mprog API on top of existing cgroup progs")
Cc: Maciej Żenczykowski <maze@google.com>
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Yuyang Huang <yuyanghuang@google.com>
---
 include/linux/bpf-cgroup.h |  5 +++--
 kernel/bpf/cgroup.c        | 13 +++++++------
 kernel/bpf/syscall.c       |  6 +++---
 3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
index b2e79c2b41d5..4d0cc65976a1 100644
--- a/include/linux/bpf-cgroup.h
+++ b/include/linux/bpf-cgroup.h
@@ -421,7 +421,7 @@ int cgroup_bpf_prog_detach(const union bpf_attr *attr,
 			   enum bpf_prog_type ptype);
 int cgroup_bpf_link_attach(const union bpf_attr *attr, struct bpf_prog *prog);
 int cgroup_bpf_prog_query(const union bpf_attr *attr,
-			  union bpf_attr __user *uattr);
+			  union bpf_attr __user *uattr, u32 uattr_size);
 
 const struct bpf_func_proto *
 cgroup_common_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog);
@@ -452,7 +452,8 @@ static inline int cgroup_bpf_link_attach(const union bpf_attr *attr,
 }
 
 static inline int cgroup_bpf_prog_query(const union bpf_attr *attr,
-					union bpf_attr __user *uattr)
+					union bpf_attr __user *uattr,
+					u32 uattr_size)
 {
 	return -EINVAL;
 }
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 876f6a81a9b6..2c2bdaa86aa7 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1208,7 +1208,7 @@ static int cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
 
 /* Must be called with cgroup_mutex held to avoid races. */
 static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
-			      union bpf_attr __user *uattr)
+			      union bpf_attr __user *uattr, u32 uattr_size)
 {
 	__u32 __user *prog_attach_flags = u64_to_user_ptr(attr->query.prog_attach_flags);
 	bool effective_query = attr->query.query_flags & BPF_F_QUERY_EFFECTIVE;
@@ -1259,7 +1259,8 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
 		return -EFAULT;
 	if (!effective_query && from_atype == to_atype)
 		revision = cgrp->bpf.revisions[from_atype];
-	if (copy_to_user(&uattr->query.revision, &revision, sizeof(revision)))
+	if (uattr_size >= offsetofend(union bpf_attr, query.revision) &&
+	    copy_to_user(&uattr->query.revision, &revision, sizeof(revision)))
 		return -EFAULT;
 	if (attr->query.prog_cnt == 0 || !prog_ids || !total_cnt)
 		/* return early if user requested only program count + flags */
@@ -1312,12 +1313,12 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
 }
 
 static int cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
-			    union bpf_attr __user *uattr)
+			    union bpf_attr __user *uattr, u32 uattr_size)
 {
 	int ret;
 
 	cgroup_lock();
-	ret = __cgroup_bpf_query(cgrp, attr, uattr);
+	ret = __cgroup_bpf_query(cgrp, attr, uattr, uattr_size);
 	cgroup_unlock();
 	return ret;
 }
@@ -1520,7 +1521,7 @@ int cgroup_bpf_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
 }
 
 int cgroup_bpf_prog_query(const union bpf_attr *attr,
-			  union bpf_attr __user *uattr)
+			  union bpf_attr __user *uattr, u32 uattr_size)
 {
 	struct cgroup *cgrp;
 	int ret;
@@ -1529,7 +1530,7 @@ int cgroup_bpf_prog_query(const union bpf_attr *attr,
 	if (IS_ERR(cgrp))
 		return PTR_ERR(cgrp);
 
-	ret = cgroup_bpf_query(cgrp, attr, uattr);
+	ret = cgroup_bpf_query(cgrp, attr, uattr, uattr_size);
 
 	cgroup_put(cgrp);
 	return ret;
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index a3c0214ca934..edd6b0dad0d3 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -4654,7 +4654,7 @@ static int bpf_prog_detach(const union bpf_attr *attr)
 #define BPF_PROG_QUERY_LAST_FIELD query.revision
 
 static int bpf_prog_query(const union bpf_attr *attr,
-			  union bpf_attr __user *uattr)
+			  union bpf_attr __user *uattr, u32 uattr_size)
 {
 	if (!bpf_net_capable())
 		return -EPERM;
@@ -4693,7 +4693,7 @@ static int bpf_prog_query(const union bpf_attr *attr,
 	case BPF_CGROUP_GETSOCKOPT:
 	case BPF_CGROUP_SETSOCKOPT:
 	case BPF_LSM_CGROUP:
-		return cgroup_bpf_prog_query(attr, uattr);
+		return cgroup_bpf_prog_query(attr, uattr, uattr_size);
 	case BPF_LIRC_MODE2:
 		return lirc_prog_query(attr, uattr);
 	case BPF_FLOW_DISSECTOR:
@@ -6260,7 +6260,7 @@ static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr, unsigned int size)
 		err = bpf_prog_detach(&attr);
 		break;
 	case BPF_PROG_QUERY:
-		err = bpf_prog_query(&attr, uattr.user);
+		err = bpf_prog_query(&attr, uattr.user, size);
 		break;
 	case BPF_PROG_TEST_RUN:
 		err = bpf_prog_test_run(&attr, uattr.user);
-- 
2.54.0.823.g6e5bcc1fc9-goog

[PATCH bpf-next v3 2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries

[Yuyang Huang]

Add a new selftest to verify that the BPF syscall (specifically
BPF_PROG_QUERY) correctly handles different user-declared attribute sizes.

Specifically, verify that:
- For cgroup queries, a query with a size that covers 'prog_cnt' but is
  smaller than 'revision' (OLD_QUERY_SIZE) succeeds, but does not write
  to 'revision' (verifying backward compatibility).
- A query with full size (FULL_QUERY_SIZE) succeeds and writes both
  'prog_cnt' and 'revision'.

Fixes: 120933984460 ("bpf: Implement mprog API on top of existing cgroup progs")
Cc: Maciej Żenczykowski <maze@google.com>
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Yuyang Huang <yuyanghuang@google.com>
---
 .../selftests/bpf/prog_tests/bpf_attr_size.c  | 69 +++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c

diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c b/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c
new file mode 100644
index 000000000000..32159dc64da8
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c
@@ -0,0 +1,69 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2026 Google LLC */
+#include <linux/bpf.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <test_progs.h>
+#include <cgroup_helpers.h>
+#include "cgroup_skb_direct_packet_access.skel.h"
+
+#define OLD_QUERY_SIZE		offsetofend(union bpf_attr, query.prog_cnt)
+#define FULL_QUERY_SIZE		offsetofend(union bpf_attr, query.revision)
+
+static void test_query_size_boundaries(void)
+{
+	struct cgroup_skb_direct_packet_access *skel;
+	struct bpf_link *link = NULL;
+	union bpf_attr attr;
+	int cg_fd = -1;
+	int err;
+
+	skel = cgroup_skb_direct_packet_access__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "skel_load"))
+		return;
+
+	cg_fd = test__join_cgroup("/attr_size_cg");
+	if (!ASSERT_GE(cg_fd, 0, "join_cgroup"))
+		goto cleanup;
+
+	link = bpf_program__attach_cgroup(skel->progs.direct_packet_access,
+					  cg_fd);
+	if (!ASSERT_OK_PTR(link, "cg_attach"))
+		goto cleanup;
+
+	memset(&attr, 0, sizeof(attr));
+	attr.query.target_fd = cg_fd;
+	attr.query.attach_type = BPF_CGROUP_INET_INGRESS;
+	attr.query.revision = 0xdeadbeefdeadbeefULL;
+
+	err = syscall(__NR_bpf, BPF_PROG_QUERY, &attr, OLD_QUERY_SIZE);
+	if (ASSERT_OK(err, "query_old_size")) {
+		ASSERT_EQ(attr.query.prog_cnt, 1, "prog_cnt_written_old");
+		ASSERT_EQ(attr.query.revision, 0xdeadbeefdeadbeefULL,
+			  "revision_not_written_old");
+	}
+
+	memset(&attr, 0, sizeof(attr));
+	attr.query.target_fd = cg_fd;
+	attr.query.attach_type = BPF_CGROUP_INET_INGRESS;
+
+	err = syscall(__NR_bpf, BPF_PROG_QUERY, &attr, FULL_QUERY_SIZE);
+	if (!ASSERT_OK(err, "query_full_size"))
+		goto cleanup;
+
+	ASSERT_EQ(attr.query.prog_cnt, 1, "prog_cnt_written");
+	ASSERT_GT(attr.query.revision, 0, "revision_written");
+
+cleanup:
+	if (link)
+		bpf_link__destroy(link);
+	if (cg_fd >= 0)
+		close(cg_fd);
+	cgroup_skb_direct_packet_access__destroy(skel);
+}
+
+void test_bpf_attr_size(void)
+{
+	if (test__start_subtest("query_size_boundaries"))
+		test_query_size_boundaries();
+}
-- 
2.54.0.823.g6e5bcc1fc9-goog

Re: [PATCH bpf-next v3 2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The BPF_PROG_QUERY command handlers unconditionally write to output fields without verifying that `uattr_size` is large enough, causing out-of-bounds writes in user space memory.
--

commit ff64a4dde49ac116fe47c4da225f078f2f7358ef
Author: Yuyang Huang <yuyanghuang@google.com>

selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries

This commit adds a new selftest to verify that the BPF_PROG_QUERY syscall
correctly handles different user-declared attribute sizes. It specifically
tests that fields beyond the provided size are not written to user space,
verifying backward compatibility.

> diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c b/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c
> new file mode 100644
> index 0000000000000..32159dc64da8b
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c
> @@ -0,0 +1,69 @@
[ ... ]
> +	err = syscall(__NR_bpf, BPF_PROG_QUERY, &attr, OLD_QUERY_SIZE);
> +	if (ASSERT_OK(err, "query_old_size")) {
> +		ASSERT_EQ(attr.query.prog_cnt, 1, "prog_cnt_written_old");
> +		ASSERT_EQ(attr.query.revision, 0xdeadbeefdeadbeefULL,
> +			  "revision_not_written_old");
> +	}

[Severity: High]
This is a pre-existing issue, but while this test checks if the revision
field respects the buffer size limit, do the other fields actually respect
these boundaries?

Looking at the BPF_PROG_QUERY command handlers, they appear to unconditionally
write to output fields without verifying if uattr_size is large enough to
contain them, which could cause out-of-bounds writes in user space memory.

For example, in kernel/bpf/cgroup.c:__cgroup_bpf_query():

    if (copy_to_user(&uattr->query.attach_flags, &flags, sizeof(flags)))
            return -EFAULT;
    if (copy_to_user(&uattr->query.prog_cnt, &total_cnt, sizeof(total_cnt)))
            return -EFAULT;

These writes happen unconditionally regardless of the size passed.

Furthermore, in kernel/bpf/syscall.c:bpf_prog_query(), the central
dispatcher drops the uattr_size parameter entirely for almost all backend
handlers:

    case BPF_LIRC_MODE2:
            return lirc_prog_query(attr, uattr);
    case BPF_FLOW_DISSECTOR:
    case BPF_SK_LOOKUP:
            return netns_bpf_prog_query(attr, uattr);

This means backends like bpf_mprog_query(), __netns_bpf_prog_query(), and
sock_map_bpf_prog_query() never even receive uattr_size and unconditionally
call copy_to_user() on fields like attach_flags, prog_cnt, and count.

If a user application calls bpf(BPF_PROG_QUERY, &attr, 4), which is only
large enough for target_fd, would the kernel proceed to write multiple values
past the end of the user's buffer, silently corrupting the process's stack
or heap?

> +
> +	memset(&attr, 0, sizeof(attr));
> +	attr.query.target_fd = cg_fd;
> +	attr.query.attach_type = BPF_CGROUP_INET_INGRESS;
[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260531075600.4058207-1-yuyanghuang@google.com?part=2

Re: [PATCH bpf-next v3 2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries

[Yuyang Huang]

On Sun, May 31, 2026 at 4:19 PM <sashiko-bot@kernel.org> wrote:
> [Severity: High]
> This is a pre-existing issue, but while this test checks if the revision
> field respects the buffer size limit, do the other fields actually respect
> these boundaries?
>
> Looking at the BPF_PROG_QUERY command handlers, they appear to unconditionally
> write to output fields without verifying if uattr_size is large enough to
> contain them, which could cause out-of-bounds writes in user space memory.
>
> For example, in kernel/bpf/cgroup.c:__cgroup_bpf_query():
>
>     if (copy_to_user(&uattr->query.attach_flags, &flags, sizeof(flags)))
>             return -EFAULT;
>     if (copy_to_user(&uattr->query.prog_cnt, &total_cnt, sizeof(total_cnt)))
>             return -EFAULT;
>
> These writes happen unconditionally regardless of the size passed.

attach_flags and prog_cnt should already have been present when
BPF_PROG_QUERY was introduced, so those places don't seem to have
backward compatibility issues.

>
> Furthermore, in kernel/bpf/syscall.c:bpf_prog_query(), the central
> dispatcher drops the uattr_size parameter entirely for almost all backend
> handlers:
>
>     case BPF_LIRC_MODE2:
>             return lirc_prog_query(attr, uattr);
>     case BPF_FLOW_DISSECTOR:
>     case BPF_SK_LOOKUP:
>             return netns_bpf_prog_query(attr, uattr);
>
> This means backends like bpf_mprog_query(), __netns_bpf_prog_query(), and
> sock_map_bpf_prog_query() never even receive uattr_size and unconditionally
> call copy_to_user() on fields like attach_flags, prog_cnt, and count.
>
> If a user application calls bpf(BPF_PROG_QUERY, &attr, 4), which is only
> large enough for target_fd, would the kernel proceed to write multiple values
> past the end of the user's buffer, silently corrupting the process's stack
> or heap?

Per the discussion in the previous review thread, the fix should be
minimal and limited to __cgroup_bpf_query only.

Re: [PATCH bpf-next v3 0/2] bpf: Align syscall writeback behavior with user-declared size

[patchwork-bot+netdevbpf]

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Sun, 31 May 2026 15:55:58 +0800 you wrote:
> This series fixes an out-of-bounds write vulnerability in BPF_PROG_QUERY
> while maintaining backward compatibility for older userspace applications.
> 
> BPF_PROG_QUERY unconditionally writes back the 'query.revision' field
> to userspace. If userspace passes a smaller 'bpf_attr' structure (e.g. 40
> bytes, which was the cgroup query layout before 'query.revision' was
> added), the kernel performs an out-of-bounds write.
> 
> [...]

Here is the summary with links:
  - [bpf-next,v3,1/2] bpf: fix BPF_PROG_QUERY OOB write and cgroup backward compat
    https://git.kernel.org/bpf/bpf-next/c/21c4b99b27f3
  - [bpf-next,v3,2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries
    https://git.kernel.org/bpf/bpf-next/c/5add3a4ad1a3

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html