* [PATCH bpf] bpf: Reject negative const offsets for buffer pointers
@ 2026-07-03 3:51 Sun Jian
2026-07-06 20:00 ` Eduard Zingerman
2026-07-07 6:52 ` Shung-Hsi Yu
0 siblings, 2 replies; 3+ messages in thread
From: Sun Jian @ 2026-07-03 3:51 UTC (permalink / raw)
To: bpf
Cc: ast, daniel, john.fastabend, andrii, eddyz87, memxor, martin.lau,
song, yonghong.song, jolsa, emil, shuah, mmullins, linux-kernel,
linux-kselftest, Sun Jian
The verifier rejects variable offsets for PTR_TO_TP_BUFFER and PTR_TO_BUF
accesses, but it currently accepts a constant negative offset produced by
pointer arithmetic.
For example, a raw tracepoint writable program can load ctx[0] as a
PTR_TO_TP_BUFFER, move it by -8, and then read from the adjusted pointer.
The register is still tracked as tp_buffer(imm=-8), but the access is
before the tracepoint writable buffer base and should be rejected.
Check the signed effective buffer offset before updating max_tp_access or
other buffer max access accounting. Reject negative effective offsets and
use the checked end offset for max access accounting.
Add a verifier test that rejects a raw tracepoint writable program using a
negative constant offset.
Fixes: 9df1c28bb752 ("bpf: add writable context for raw tracepoints")
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
---
kernel/bpf/verifier.c | 41 ++++++++++++++++---
.../bpf/progs/verifier_raw_tp_writable.c | 16 ++++++++
2 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 21a365d436a5..421ca118fcbf 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5326,14 +5326,18 @@ static int check_max_stack_depth(struct bpf_verifier_env *env)
static int __check_buffer_access(struct bpf_verifier_env *env,
const char *buf_info,
const struct bpf_reg_state *reg,
- argno_t argno, int off, int size)
+ argno_t argno, int off, int size,
+ u32 *access_end)
{
+ s64 start, var_off;
+
if (off < 0) {
verbose(env,
"%s invalid %s buffer access: off=%d, size=%d\n",
reg_arg_name(env, argno), buf_info, off, size);
return -EACCES;
}
+
if (!tnum_is_const(reg->var_off)) {
char tn_buf[48];
@@ -5344,6 +5348,29 @@ static int __check_buffer_access(struct bpf_verifier_env *env,
return -EACCES;
}
+ var_off = (s64)reg->var_off.value;
+ if (check_add_overflow(var_off, (s64)off, &start)) {
+ verbose(env,
+ "%s invalid %s buffer access: off=%d, var_off=%lld\n",
+ reg_arg_name(env, argno), buf_info, off, var_off);
+ return -EACCES;
+ }
+
+ if (start < 0) {
+ verbose(env,
+ "%s invalid negative %s buffer offset: off=%d, var_off=%lld\n",
+ reg_arg_name(env, argno), buf_info, off, var_off);
+ return -EACCES;
+ }
+
+ if (start > U32_MAX || size < 0 ||
+ check_add_overflow((u32)start, (u32)size, access_end)) {
+ verbose(env,
+ "%s invalid %s buffer access: off=%lld, size=%d\n",
+ reg_arg_name(env, argno), buf_info, start, size);
+ return -EACCES;
+ }
+
return 0;
}
@@ -5351,13 +5378,15 @@ static int check_tp_buffer_access(struct bpf_verifier_env *env,
const struct bpf_reg_state *reg,
argno_t argno, int off, int size)
{
+ u32 access_end;
int err;
- err = __check_buffer_access(env, "tracepoint", reg, argno, off, size);
+ err = __check_buffer_access(env, "tracepoint", reg, argno, off, size,
+ &access_end);
if (err)
return err;
- env->prog->aux->max_tp_access = max(reg->var_off.value + off + size,
+ env->prog->aux->max_tp_access = max(access_end,
env->prog->aux->max_tp_access);
return 0;
@@ -5370,13 +5399,15 @@ static int check_buffer_access(struct bpf_verifier_env *env,
u32 *max_access)
{
const char *buf_info = type_is_rdonly_mem(reg->type) ? "rdonly" : "rdwr";
+ u32 access_end;
int err;
- err = __check_buffer_access(env, buf_info, reg, argno, off, size);
+ err = __check_buffer_access(env, buf_info, reg, argno, off, size,
+ &access_end);
if (err)
return err;
- *max_access = max(reg->var_off.value + off + size, *max_access);
+ *max_access = max(access_end, *max_access);
return 0;
}
diff --git a/tools/testing/selftests/bpf/progs/verifier_raw_tp_writable.c b/tools/testing/selftests/bpf/progs/verifier_raw_tp_writable.c
index 14a0172e2141..4055a6443bc2 100644
--- a/tools/testing/selftests/bpf/progs/verifier_raw_tp_writable.c
+++ b/tools/testing/selftests/bpf/progs/verifier_raw_tp_writable.c
@@ -47,4 +47,20 @@ l0_%=: /* shift the buffer pointer to a variable location */\
: __clobber_all);
}
+SEC("raw_tracepoint.w")
+__description("raw_tracepoint_writable: reject negative const offset")
+__failure
+__msg("invalid negative tracepoint buffer offset")
+__naked void tracepoint_writable_reject_negative_const_offset(void)
+{
+ asm volatile (" \
+ r6 = *(u64 *)(r1 + 0); \
+ r6 += -8; \
+ r0 = *(u64 *)(r6 + 0); \
+ exit; \
+" :
+ :
+ : __clobber_all);
+}
+
char _license[] SEC("license") = "GPL";
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH bpf] bpf: Reject negative const offsets for buffer pointers
2026-07-03 3:51 [PATCH bpf] bpf: Reject negative const offsets for buffer pointers Sun Jian
@ 2026-07-06 20:00 ` Eduard Zingerman
2026-07-07 6:52 ` Shung-Hsi Yu
1 sibling, 0 replies; 3+ messages in thread
From: Eduard Zingerman @ 2026-07-06 20:00 UTC (permalink / raw)
To: Sun Jian, bpf
Cc: ast, daniel, john.fastabend, andrii, memxor, martin.lau, song,
yonghong.song, jolsa, emil, shuah, mmullins, linux-kernel,
linux-kselftest
On Thu, 2026-07-02 at 20:51 -0700, Sun Jian wrote:
> The verifier rejects variable offsets for PTR_TO_TP_BUFFER and PTR_TO_BUF
> accesses, but it currently accepts a constant negative offset produced by
> pointer arithmetic.
>
> For example, a raw tracepoint writable program can load ctx[0] as a
> PTR_TO_TP_BUFFER, move it by -8, and then read from the adjusted pointer.
> The register is still tracked as tp_buffer(imm=-8), but the access is
> before the tracepoint writable buffer base and should be rejected.
>
> Check the signed effective buffer offset before updating max_tp_access or
> other buffer max access accounting. Reject negative effective offsets and
> use the checked end offset for max access accounting.
>
> Add a verifier test that rejects a raw tracepoint writable program using a
> negative constant offset.
>
> Fixes: 9df1c28bb752 ("bpf: add writable context for raw tracepoints")
> Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
> ---
The commit 9df1c28bb752 ("bpf: add writable context for raw tracepoints")
delays the tracepoint buffer access to the attach time:
int bpf_probe_register(struct bpf_raw_event_map *btp, struct bpf_raw_tp_link *link)
{
...
if (prog->aux->max_tp_access > btp->writable_size)
return -EINVAL;
...
}
Called from syscall.c:bpf_raw_tp_link_attach().
Please modify the test case such that it exercises the attachment logic.
Also, please keep selftests in a separate patch and make use of the
full 100 characters line width limit.
pw-bot: cr.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH bpf] bpf: Reject negative const offsets for buffer pointers
2026-07-03 3:51 [PATCH bpf] bpf: Reject negative const offsets for buffer pointers Sun Jian
2026-07-06 20:00 ` Eduard Zingerman
@ 2026-07-07 6:52 ` Shung-Hsi Yu
1 sibling, 0 replies; 3+ messages in thread
From: Shung-Hsi Yu @ 2026-07-07 6:52 UTC (permalink / raw)
To: Sun Jian
Cc: bpf, ast, daniel, john.fastabend, andrii, eddyz87, memxor,
martin.lau, song, yonghong.song, jolsa, emil, shuah, mmullins,
linux-kernel, linux-kselftest
On Thu, Jul 02, 2026 at 08:51:37PM -0700, Sun Jian wrote:
[...]
> @@ -5344,6 +5348,29 @@ static int __check_buffer_access(struct bpf_verifier_env *env,
> return -EACCES;
> }
>
> + var_off = (s64)reg->var_off.value;
> + if (check_add_overflow(var_off, (s64)off, &start)) {
> + verbose(env,
> + "%s invalid %s buffer access: off=%d, var_off=%lld\n",
> + reg_arg_name(env, argno), buf_info, off, var_off);
> + return -EACCES;
> + }
Other pointer offset checks (check_mem_region_access and
adjust_ptr_min_max_vals) seem to check var_off against BPF_MAX_VAR_OFF,
and that `off` being >= 0. It would be great if the convention can be
kept for consistency, albeit being more conservative.
From a blind guess I would guess that compiler does not product a
pattern where `off` encoded in the instruction is negative but the net
overall offset is positive for PTR_TO_TP_BUFFER/PTR_TO_BUF, and
rejecting such pattern is fine.
r6 = *(u64 *)(r1 + 0);
r6 += 16;
r0 = *(u64 *)(r6 - 8);
One more comment below.
> +
> + if (start < 0) {
> + verbose(env,
> + "%s invalid negative %s buffer offset: off=%d, var_off=%lld\n",
> + reg_arg_name(env, argno), buf_info, off, var_off);
> + return -EACCES;
> + }
> +
> + if (start > U32_MAX || size < 0 ||
> + check_add_overflow((u32)start, (u32)size, access_end)) {
> + verbose(env,
> + "%s invalid %s buffer access: off=%lld, size=%d\n",
> + reg_arg_name(env, argno), buf_info, start, size);
> + return -EACCES;
> + }
If we check that var_off is within BPF_MAX_VAR_OFF and that `off` is not
negative, then `var_off + off + size` should be guaranteed to not
overflow max_tp_access, since the maximum of `off` is S16_MAX and the
maximum of `size` is 8.
> +
> return 0;
> }
[...]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-07 6:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-03 3:51 [PATCH bpf] bpf: Reject negative const offsets for buffer pointers Sun Jian
2026-07-06 20:00 ` Eduard Zingerman
2026-07-07 6:52 ` Shung-Hsi Yu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.