From: "Alexei Starovoitov" <alexei.starovoitov@gmail.com>
To: "Kuniyuki Iwashima" <kuniyu@google.com>, <jiayuan.chen@linux.dev>
Cc: <andrii@kernel.org>, <ast@kernel.org>, <bestswngs@gmail.com>,
<bpf@vger.kernel.org>, <cong.wang@bytedance.com>,
<daniel@iogearbox.net>, <davem@davemloft.net>,
<eddyz87@gmail.com>, <edumazet@google.com>,
<emil@etsalapatis.com>, <hawk@kernel.org>, <horms@kernel.org>,
<ihor.solodrai@linux.dev>, <jakub@cloudflare.com>,
<john.fastabend@gmail.com>, <jolsa@kernel.org>, <kuba@kernel.org>,
<linux-kernel@vger.kernel.org>, <linux-kselftest@vger.kernel.org>,
<martin.lau@linux.dev>, <memxor@gmail.com>, <mmmxny@gmail.com>,
<netdev@vger.kernel.org>, <pabeni@redhat.com>,
<rhkrqnwk98@gmail.com>, <sdf@fomichev.me>, <shuah@kernel.org>,
<song@kernel.org>, <xmei5@asu.edu>, <yonghong.song@linux.dev>
Subject: Re: [PATCH bpf-next v3 3/7] bpf, sockmap: zero-initialize pages allocated in bpf_msg_push_data
Date: Fri, 12 Jun 2026 18:36:54 -0700 [thread overview]
Message-ID: <DJ7JBWTVOBVX.1YKW7ULLZC9Z4@gmail.com> (raw)
In-Reply-To: <20260613002906.1336958-1-kuniyu@google.com>
On Fri Jun 12, 2026 at 5:28 PM PDT, Kuniyuki Iwashima wrote:
> From: Jiayuan Chen <jiayuan.chen@linux.dev>
> Date: Fri, 12 Jun 2026 21:07:47 +0800
>> From: Weiming Shi <bestswngs@gmail.com>
>>
>> bpf_msg_push_data() allocates pages via alloc_pages() without
>> __GFP_ZERO. In the non-copy path, the entire page of uninitialized
>> heap content is added directly to the sk_msg scatterlist, which is
>> then transmitted over TCP to userspace via tcp_bpf_push(). In the
>> copy path, a gap of len bytes between the front and back memcpy
>> regions is similarly left uninitialized.
>>
>> This leads to a kernel heap information leak: stale page content
>> including kernel pointers from the direct-map and vmemmap regions
>> is transmitted to userspace, which can be used to defeat KASLR.
>>
>> Add __GFP_ZERO to the alloc_pages() call to ensure the allocated
>> page is always zeroed before it enters the scatterlist.
>>
>> Link: https://lore.kernel.org/all/20260424155913.A19FDC19425@smtp.kernel.org
>> Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
>> Tested-by: Xiang Mei <xmei5@asu.edu>
>> Tested-by: Xinyu Ma <mmmxny@gmail.com>
>> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
>> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
>> Signed-off-by: Weiming Shi <bestswngs@gmail.com>
>> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
>> ---
>> net/core/filter.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/net/core/filter.c b/net/core/filter.c
>> index 3e555f276ba80..6e345ca65ca14 100644
>> --- a/net/core/filter.c
>> +++ b/net/core/filter.c
>> @@ -2832,7 +2832,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start,
>> if (unlikely(copy + len < copy))
>> return -EINVAL;
>>
>> - page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC | __GFP_COMP,
>> + page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC | __GFP_COMP | __GFP_ZERO,
>
> This is a red flag.
>
> We have a bunch of KMSAN reports due to raw/packet sockets,
> which requires CAP_NET_ADMIN, and leave them unfixed although
> some people attempted to "fix" them by adding __GFP_ZERO to
> __alloc_skb().
yep. It's a bpf prog responsibility to avoid garbage in the payload.
pw-bot: cr
next prev parent reply other threads:[~2026-06-13 1:36 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 13:07 [PATCH bpf-next v3 0/7] bpf, skmsg: some fixes for skmsg Jiayuan Chen
2026-06-12 13:07 ` [PATCH bpf-next v3 1/7] bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data() Jiayuan Chen
2026-06-12 13:28 ` sashiko-bot
2026-06-13 0:09 ` Kuniyuki Iwashima
2026-06-12 13:07 ` [PATCH bpf-next v3 2/7] bpf, sockmap: Fix wrong rsge offset " Jiayuan Chen
2026-06-12 13:27 ` sashiko-bot
2026-06-13 0:17 ` Kuniyuki Iwashima
2026-06-12 13:07 ` [PATCH bpf-next v3 3/7] bpf, sockmap: zero-initialize pages allocated in bpf_msg_push_data Jiayuan Chen
2026-06-12 13:34 ` sashiko-bot
2026-06-13 0:28 ` Kuniyuki Iwashima
2026-06-13 1:36 ` Alexei Starovoitov [this message]
2026-06-12 13:07 ` [PATCH bpf-next v3 4/7] bpf, sockmap: keep sk_msg copy state in sync Jiayuan Chen
2026-06-12 13:57 ` bot+bpf-ci
2026-06-13 0:40 ` Kuniyuki Iwashima
2026-06-12 13:07 ` [PATCH bpf-next v3 5/7] sockmap: Fix use-after-free in udp_bpf_recvmsg() Jiayuan Chen
2026-06-12 13:24 ` sashiko-bot
2026-06-12 13:07 ` [PATCH bpf-next v3 6/7] bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check Jiayuan Chen
2026-06-13 0:44 ` Kuniyuki Iwashima
2026-06-12 13:07 ` [PATCH bpf-next v3 7/7] selftests/bpf: add test for bpf_msg_pop_data() overflow Jiayuan Chen
2026-06-12 17:09 ` [PATCH bpf-next v3 0/7] bpf, skmsg: some fixes for skmsg Alexei Starovoitov
2026-06-12 18:43 ` Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJ7JBWTVOBVX.1YKW7ULLZC9Z4@gmail.com \
--to=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bestswngs@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=cong.wang@bytedance.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=emil@etsalapatis.com \
--cc=hawk@kernel.org \
--cc=horms@kernel.org \
--cc=ihor.solodrai@linux.dev \
--cc=jakub@cloudflare.com \
--cc=jiayuan.chen@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=mmmxny@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rhkrqnwk98@gmail.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=xmei5@asu.edu \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.