From: Paul Chaignon <paul.chaignon@gmail.com>
To: Eduard Zingerman <eddyz87@gmail.com>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>
Subject: Re: [PATCH bpf 1/3] bpf: Explicitly check accesses to bpf_sock_addr
Date: Wed, 17 Sep 2025 10:02:47 +0200 [thread overview]
Message-ID: <aMprJytP58ODMcVL@mail.gmail.com> (raw)
In-Reply-To: <f746dce74aeb5de06fc25905523becccb88c55d9.camel@gmail.com>
On Tue, Sep 16, 2025 at 03:45:51PM -0700, Eduard Zingerman wrote:
> On Tue, 2025-09-16 at 17:17 +0200, Paul Chaignon wrote:
> > Syzkaller found a kernel warning on the following sock_addr program:
> >
> > 0: r0 = 0
> > 1: r2 = *(u32 *)(r1 +60)
> > 2: exit
> >
> > which triggers:
> >
> > verifier bug: error during ctx access conversion (0)
> >
> > This is happening because offset 60 in bpf_sock_addr corresponds to an
> > implicit padding of 4 bytes, right after msg_src_ip4. Access to this
> > padding isn't rejected in sock_addr_is_valid_access and it thus later
> > fails to convert the access.
> >
> > This patch fixes it by explicitly checking the various fields of
> > bpf_sock_addr in sock_addr_is_valid_access.
> >
> > I checked the other ctx structures and is_valid_access functions and
> > didn't find any other similar cases. Other cases of (properly handled)
> > padding are covered in new tests in a subsequent patch.
> >
> > Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg")
> > Reported-by: syzbot+136ca59d411f92e821b7@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=136ca59d411f92e821b7
> > Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
> > ---
>
> Double checked other context types with holes and paddings:
> - bpf_sk_lookup
> - bpf_sock
> - __sk_buff
> - sk_reuseport_md
>
> And agree with Paul's conclusion.
> (Note, however, that bpf_sock and __sk_buff explicitly refer to
> padding offsets).
Thanks for double checking! I think I had missed sk_reuseport_md when
going through those. I had also forgotten the test case for bpf_sock.
I added both as selftests in the v2.
>
> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
>
> [...]
prev parent reply other threads:[~2025-09-17 8:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-16 15:17 [PATCH bpf 1/3] bpf: Explicitly check accesses to bpf_sock_addr Paul Chaignon
2025-09-16 15:18 ` [PATCH bpf 2/3] selftests/bpf: Move macros to bpf_misc.h Paul Chaignon
2025-09-16 22:53 ` Eduard Zingerman
2025-09-16 15:19 ` [PATCH bpf 3/3] selftest/bpf: Test accesses to ctx padding Paul Chaignon
2025-09-16 22:59 ` Eduard Zingerman
2025-09-16 19:44 ` [PATCH bpf 1/3] bpf: Explicitly check accesses to bpf_sock_addr Daniel Borkmann
2025-09-17 7:51 ` Paul Chaignon
2025-09-16 22:45 ` Eduard Zingerman
2025-09-17 8:02 ` Paul Chaignon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMprJytP58ODMcVL@mail.gmail.com \
--to=paul.chaignon@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=martin.lau@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.