From: "Alexei Starovoitov" <alexei.starovoitov@gmail.com>
To: "Sechang Lim" <rhkrqnwk98@gmail.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"John Fastabend" <john.fastabend@gmail.com>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>
Cc: "Eduard Zingerman" <eddyz87@gmail.com>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Kumar Kartikeya Dwivedi" <memxor@gmail.com>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"Jiri Olsa" <jolsa@kernel.org>, "Shuah Khan" <shuah@kernel.org>,
"David S . Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>,
"Simon Horman" <horms@kernel.org>,
"Cong Wang" <cwang@multikernel.io>,
"Emil Tsalapatis" <emil@etsalapatis.com>, <bpf@vger.kernel.org>,
<netdev@vger.kernel.org>, <linux-kselftest@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH bpf v2 1/2] bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check
Date: Wed, 10 Jun 2026 10:35:10 -0700 [thread overview]
Message-ID: <DJ5JTZ788GDY.FXAAY47YDG3N@gmail.com> (raw)
In-Reply-To: <20260610081218.506709-2-rhkrqnwk98@gmail.com>
On Wed Jun 10, 2026 at 1:11 AM PDT, Sechang Lim wrote:
> start and len are u32, so
>
> u64 last = start + len;
>
> evaluates start + len in 32-bit and wraps before storing it in last.
> The bounds check
>
> if (start >= offset + l || last > msg->sg.size)
> return -EINVAL;
>
> can then be passed with an out-of-range start/len, after which the pop
> loop runs off the end of the scatterlist and sk_msg_shift_left() calls
> put_page() on the empty msg->sg.end slot:
>
> Oops: general protection fault, probably for non-canonical address
> 0xdffffc0000000001: 0000 [#1] SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> RIP: 0010:sk_msg_shift_left net/core/filter.c:2957 [inline]
> RIP: 0010:____bpf_msg_pop_data net/core/filter.c:3103 [inline]
> RIP: 0010:bpf_msg_pop_data+0x753/0x1a10 net/core/filter.c:2984
> Call Trace:
> <TASK>
> bpf_prog_4cc92c278f4d5d56+0x1b1/0x1e8
> bpf_prog_run_pin_on_cpu+0x107/0x320 include/linux/filter.h:746
> sk_psock_msg_verdict+0x357/0x7f0 net/core/skmsg.c:934
> tcp_bpf_send_verdict net/ipv4/tcp_bpf.c:420 [inline]
> tcp_bpf_sendmsg+0x766/0x1ae0 net/ipv4/tcp_bpf.c:583
> __sock_sendmsg+0x153/0x1c0 net/socket.c:802
> __sys_sendto+0x326/0x430 net/socket.c:2265
> __x64_sys_sendto+0xe3/0x100 net/socket.c:2268
> do_syscall_64+0x14c/0x480
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> </TASK>
>
> Widen the addition with a (u64) cast so the bound is evaluated in
> 64-bit and a len near U32_MAX no longer wraps below msg->sg.size.
>
> While here, change pop from int to u32. It counts bytes against the
> unsigned scatterlist lengths and can never be negative, so the signed
> type only invites sign-confusion in the pop loop.
>
> Fixes: 7246d8ed4dcc ("bpf: helper to pop data from messages")
> Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
> ---
> net/core/filter.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 80439767e0ee..9cdfec2ca11e 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -2974,8 +2974,8 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start,
> u32, len, u64, flags)
> {
> u32 i = 0, l = 0, space, offset = 0;
> - u64 last = start + len;
> - int pop;
> + u64 last = (u64)start + len;
sashiko is correct that there are 4 other issue in very similar code path
all in skmsg. Please fix them all in one go.
pw-bot: cr
next prev parent reply other threads:[~2026-06-10 17:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 8:11 [PATCH bpf v2 0/2] bpf, sockmap: fix bpf_msg_pop_data() integer overflow Sechang Lim
2026-06-10 8:11 ` [PATCH bpf v2 1/2] bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check Sechang Lim
2026-06-10 8:28 ` sashiko-bot
2026-06-10 17:35 ` Alexei Starovoitov [this message]
2026-06-10 8:11 ` [PATCH bpf v2 2/2] selftests/bpf: add test for bpf_msg_pop_data() overflow Sechang Lim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJ5JTZ788GDY.FXAAY47YDG3N@gmail.com \
--to=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=cwang@multikernel.io \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=emil@etsalapatis.com \
--cc=horms@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rhkrqnwk98@gmail.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.