From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
To: Sun Jian <sun.jian.kdev@gmail.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net,
john.fastabend@gmail.com, andrii@kernel.org, eddyz87@gmail.com,
memxor@gmail.com, martin.lau@linux.dev, song@kernel.org,
yonghong.song@linux.dev, jolsa@kernel.org, emil@etsalapatis.com,
shuah@kernel.org, mmullins@fb.com, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH bpf v4 1/2] bpf: Reject negative const offsets for buffer pointers
Date: Wed, 8 Jul 2026 21:13:18 +0800 [thread overview]
Message-ID: <ak5HLLrYK3R_g2y_@u94a> (raw)
In-Reply-To: <20260708090151.151729-2-sun.jian.kdev@gmail.com>
On Wed, Jul 08, 2026 at 02:01:50AM -0700, Sun Jian wrote:
[...]
> Fixes: 022ac0750883 ("bpf: use reg->var_off instead of reg->off for pointers")
Agree that above is the commit that introduced the issue.
More comments below.
[...]
> @@ -5326,14 +5326,18 @@ static int check_max_stack_depth(struct bpf_verifier_env *env)
> static int __check_buffer_access(struct bpf_verifier_env *env,
> const char *buf_info,
> const struct bpf_reg_state *reg,
> - argno_t argno, int off, int size)
> + argno_t argno, int off, int size,
> + u32 *access_end)
> {
> + s64 start, var_off;
> +
> if (off < 0) {
> verbose(env,
> "%s invalid %s buffer access: off=%d, size=%d\n",
> reg_arg_name(env, argno), buf_info, off, size);
> return -EACCES;
> }
> +
> if (!tnum_is_const(reg->var_off)) {
> char tn_buf[48];
>
> @@ -5344,6 +5348,29 @@ static int __check_buffer_access(struct bpf_verifier_env *env,
> return -EACCES;
> }
>
> + var_off = (s64)reg->var_off.value;
> + if (var_off >= BPF_MAX_VAR_OFF || var_off <= -BPF_MAX_VAR_OFF) {
> + verbose(env, "%s %s buffer offset %lld is not allowed\n",
> + reg_arg_name(env, argno), buf_info, var_off);
> + return -EACCES;
> + }
> +
> + start = var_off + off;
> + if (start < 0) {
> + verbose(env,
> + "%s invalid negative %s buffer offset: off=%d, var_off=%lld\n",
> + reg_arg_name(env, argno), buf_info, off, var_off);
> + return -EACCES;
> + }
I was thinking of suggest to just do a single unsigned check
var_off = reg->var_off.value;
if (var_off >= BPF_MAX_VAR_OFF) {
...
But looking at the code before 022ac0750883, what you have is closer
aligned to the previous behavior, let's stick to this.
> +
> + if (size < 0) {
> + verbose(env, "%s invalid %s buffer access: off=%lld, size=%d\n",
> + reg_arg_name(env, argno), buf_info, start, size);
> + return -EACCES;
> + }
`size` comes from bpf_size_to_bytes(bpf_size) in check_mem_access(), and
is already checked to be not negative; plus other check_* helpers does
not check for this, so I think it can be dropped.
Otherwise, LGTM:
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
> +
> + *access_end = (u32)start + (u32)size;
If you want, this could use a quick one-line comments regarding the fact
that it won't overflow, or even verifier_bug_if().
> +
> return 0;
> }
>
[...]
next prev parent reply other threads:[~2026-07-08 13:13 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 9:01 [PATCH bpf v4 0/2] bpf: Reject negative const offsets for buffer pointers Sun Jian
2026-07-08 9:01 ` [PATCH bpf v4 1/2] " Sun Jian
2026-07-08 13:13 ` Shung-Hsi Yu [this message]
2026-07-08 14:11 ` sun jian
2026-07-09 6:47 ` Shung-Hsi Yu
2026-07-09 12:47 ` sun jian
2026-07-09 18:21 ` Eduard Zingerman
2026-07-10 5:52 ` sun jian
2026-07-10 6:23 ` Eduard Zingerman
2026-07-10 7:25 ` sun jian
2026-07-10 7:47 ` Eduard Zingerman
2026-07-10 8:00 ` Shung-Hsi Yu
2026-07-10 8:10 ` Shung-Hsi Yu
2026-07-10 10:27 ` sun jian
2026-07-13 5:05 ` Shung-Hsi Yu
2026-07-13 20:44 ` Eduard Zingerman
2026-07-14 4:31 ` Shung-Hsi Yu
2026-07-14 5:01 ` Shung-Hsi Yu
2026-07-08 9:01 ` [PATCH bpf v4 2/2] selftests/bpf: Cover negative raw_tp writable buffer offsets Sun Jian
2026-07-09 16:59 ` Eduard Zingerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ak5HLLrYK3R_g2y_@u94a \
--to=shung-hsi.yu@suse.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=mmullins@fb.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=sun.jian.kdev@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.