From: Eduard Zingerman <eddyz87@gmail.com>
To: Paul Chaignon <paul.chaignon@gmail.com>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>
Subject: Re: [PATCH bpf 1/3] bpf: Explicitly check accesses to bpf_sock_addr
Date: Tue, 16 Sep 2025 15:45:51 -0700 [thread overview]
Message-ID: <f746dce74aeb5de06fc25905523becccb88c55d9.camel@gmail.com> (raw)
In-Reply-To: <f5310453da29debecc28fe487cd5638e0b9ae268.1758032885.git.paul.chaignon@gmail.com>
On Tue, 2025-09-16 at 17:17 +0200, Paul Chaignon wrote:
> Syzkaller found a kernel warning on the following sock_addr program:
>
> 0: r0 = 0
> 1: r2 = *(u32 *)(r1 +60)
> 2: exit
>
> which triggers:
>
> verifier bug: error during ctx access conversion (0)
>
> This is happening because offset 60 in bpf_sock_addr corresponds to an
> implicit padding of 4 bytes, right after msg_src_ip4. Access to this
> padding isn't rejected in sock_addr_is_valid_access and it thus later
> fails to convert the access.
>
> This patch fixes it by explicitly checking the various fields of
> bpf_sock_addr in sock_addr_is_valid_access.
>
> I checked the other ctx structures and is_valid_access functions and
> didn't find any other similar cases. Other cases of (properly handled)
> padding are covered in new tests in a subsequent patch.
>
> Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg")
> Reported-by: syzbot+136ca59d411f92e821b7@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=136ca59d411f92e821b7
> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
> ---
Double checked other context types with holes and paddings:
- bpf_sk_lookup
- bpf_sock
- __sk_buff
- sk_reuseport_md
And agree with Paul's conclusion.
(Note, however, that bpf_sock and __sk_buff explicitly refer to
padding offsets).
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
[...]
next prev parent reply other threads:[~2025-09-16 22:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-16 15:17 [PATCH bpf 1/3] bpf: Explicitly check accesses to bpf_sock_addr Paul Chaignon
2025-09-16 15:18 ` [PATCH bpf 2/3] selftests/bpf: Move macros to bpf_misc.h Paul Chaignon
2025-09-16 22:53 ` Eduard Zingerman
2025-09-16 15:19 ` [PATCH bpf 3/3] selftest/bpf: Test accesses to ctx padding Paul Chaignon
2025-09-16 22:59 ` Eduard Zingerman
2025-09-16 19:44 ` [PATCH bpf 1/3] bpf: Explicitly check accesses to bpf_sock_addr Daniel Borkmann
2025-09-17 7:51 ` Paul Chaignon
2025-09-16 22:45 ` Eduard Zingerman [this message]
2025-09-17 8:02 ` Paul Chaignon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f746dce74aeb5de06fc25905523becccb88c55d9.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=martin.lau@linux.dev \
--cc=paul.chaignon@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.