From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>, bpf@vger.kernel.org
Cc: Weiming Shi <bestswngs@gmail.com>, Xiang Mei <xmei5@asu.edu>,
Xinyu Ma <mmmxny@gmail.com>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Jiri Olsa <jolsa@kernel.org>,
Emil Tsalapatis <emil@etsalapatis.com>,
John Fastabend <john.fastabend@gmail.com>,
Stanislav Fomichev <sdf@fomichev.me>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Jakub Sitnicki <jakub@cloudflare.com>,
Shuah Khan <shuah@kernel.org>,
Jesper Dangaard Brouer <hawk@kernel.org>,
Sechang Lim <rhkrqnwk98@gmail.com>,
Ihor Solodrai <ihor.solodrai@linux.dev>,
Cong Wang <cong.wang@bytedance.com>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH bpf v2 1/7] bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data()
Date: Fri, 12 Jun 2026 10:03:15 +0800 [thread overview]
Message-ID: <8906e52a-8206-4e7b-a51c-d3dc0c77da43@linux.dev> (raw)
In-Reply-To: <DJ6DKMNBR4UX.27HEZMGEPEF7T@gmail.com>
On 6/12/26 12:53 AM, Alexei Starovoitov wrote:
> On Thu Jun 11, 2026 at 5:34 AM PDT, Jiayuan Chen wrote:
>> From: Weiming Shi <bestswngs@gmail.com>
>>
>> When the scatterlist ring is full or nearly full, bpf_msg_push_data()
>> enters a copy fallback path and computes copy + len for the page
>> allocation size. Since len comes from BPF with arg3_type = ARG_ANYTHING
>> and both are u32, a crafted len can wrap the sum to a small value,
>> causing an undersized allocation followed by an out-of-bounds memcpy.
>>
>> BUG: unable to handle page fault for address: ffffed104089a402
>> Oops: Oops: 0000 [#1] SMP KASAN NOPTI
>> Call Trace:
>> __asan_memcpy (mm/kasan/shadow.c:105)
>> bpf_msg_push_data (net/core/filter.c:2852 net/core/filter.c:2788)
>> bpf_prog_9ed8b5711920a7d7+0x2e/0x36
>> sk_psock_msg_verdict (net/core/skmsg.c:934)
>> tcp_bpf_sendmsg (net/ipv4/tcp_bpf.c:421 net/ipv4/tcp_bpf.c:584)
>> __sys_sendto (net/socket.c:2206)
>> do_syscall_64 (arch/x86/entry/syscall_64.c:94)
>> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
>>
>> Add an overflow check before the allocation.
>>
>> Link: https://lore.kernel.org/all/20260424155913.A19FDC19425@smtp.kernel.org
>> Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
>> Tested-by: Xiang Mei <xmei5@asu.edu>
>> Tested-by: Xinyu Ma <mmmxny@gmail.com>
>> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
>> Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
>> Signed-off-by: Weiming Shi <bestswngs@gmail.com>
> That's not the right way to post somebody else patches.
> You need to keep their authorship and SOB (as you did),
> but you also need to add your SOB after theirs.
>
> also pls target bpf-next.
Thanks Alexei, and sorry for the noise -- I'm still new to handling other
people's patches.
I'll keep their authorship and SOB and add my own SOB and retarget to
bpf-next.
next prev parent reply other threads:[~2026-06-12 2:03 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 12:34 [PATCH bpf v2 0/7] bpf, skmsg: some fixes for skmsg Jiayuan Chen
2026-06-11 12:34 ` [PATCH bpf v2 1/7] bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data() Jiayuan Chen
2026-06-11 12:58 ` sashiko-bot
2026-06-11 16:27 ` Emil Tsalapatis
2026-06-11 16:53 ` Alexei Starovoitov
2026-06-12 2:03 ` Jiayuan Chen [this message]
2026-06-11 12:34 ` [PATCH bpf v2 2/7] bpf, sockmap: Fix wrong rsge offset " Jiayuan Chen
2026-06-11 12:54 ` sashiko-bot
2026-06-11 16:28 ` Emil Tsalapatis
2026-06-11 12:34 ` [PATCH bpf v2 3/7] bpf, sockmap: zero-initialize pages allocated in bpf_msg_push_data Jiayuan Chen
2026-06-11 14:55 ` sashiko-bot
2026-06-11 16:53 ` Emil Tsalapatis
2026-06-11 12:34 ` [PATCH bpf v2 4/7] bpf, sockmap: keep sk_msg copy state in sync Jiayuan Chen
2026-06-11 18:41 ` Emil Tsalapatis
2026-06-11 21:45 ` Cong Wang
2026-06-11 12:34 ` [PATCH bpf v2 5/7] sockmap: Fix use-after-free in udp_bpf_recvmsg() Jiayuan Chen
2026-06-11 12:53 ` sashiko-bot
2026-06-11 22:21 ` Emil Tsalapatis
2026-06-11 13:15 ` bot+bpf-ci
2026-06-11 22:21 ` Emil Tsalapatis
2026-06-11 12:34 ` [PATCH bpf v2 6/7] bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check Jiayuan Chen
2026-06-11 16:54 ` Emil Tsalapatis
2026-06-11 12:34 ` [PATCH bpf v2 7/7] selftests/bpf: add test for bpf_msg_pop_data() overflow Jiayuan Chen
2026-06-11 20:37 ` Emil Tsalapatis
2026-06-11 20:59 ` [PATCH bpf v2 0/7] bpf, skmsg: some fixes for skmsg Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8906e52a-8206-4e7b-a51c-d3dc0c77da43@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bestswngs@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=cong.wang@bytedance.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=emil@etsalapatis.com \
--cc=hawk@kernel.org \
--cc=horms@kernel.org \
--cc=ihor.solodrai@linux.dev \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=mmmxny@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rhkrqnwk98@gmail.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=xmei5@asu.edu \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.