public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] bpf: reject direct access to nullable PTR_TO_BUF pointers
@ 2026-03-31 17:27 Qi Tang
  2026-03-31 17:50 ` Eduard Zingerman
  0 siblings, 1 reply; 3+ messages in thread
From: Qi Tang @ 2026-03-31 17:27 UTC (permalink / raw)
  To: Alexei Starovoitov, Daniel Borkmann
  Cc: Andrii Nakryiko, Martin KaFai Lau, John Fastabend,
	Eduard Zingerman, Song Liu, bpf, Qi Tang

check_mem_access() matches PTR_TO_BUF via base_type() which strips
PTR_MAYBE_NULL, allowing direct dereference without a null check.

Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL.
On stop callbacks these are NULL, causing a kernel NULL dereference.

Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the
existing PTR_TO_BTF_ID pattern.

  BUG: kernel NULL pointer dereference, address: 0000000000000000
  Oops: Oops: 0000 [#1] SMP KASAN NOPTI
  RIP: 0010:bpf_prog_5f0e2be830ac3243_null_deref_iter+0x10/0x25
  Call Trace:
   bpf_iter_run_prog+0x1c2/0x2e0
   __bpf_hash_map_seq_show+0x120/0x180
   bpf_seq_read+0x29c/0x530
   vfs_read+0x179/0x930
   ksys_read+0xef/0x1c0
   do_syscall_64+0xe0/0x1290
   entry_SYSCALL_64_after_hwframe+0x76/0x7e
  Kernel panic - not syncing: Fatal exception

Fixes: 20b2aff4bc15 ("bpf: Introduce MEM_RDONLY flag")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
---
 kernel/bpf/verifier.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 937c9adf1b3d..17850836943b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7905,7 +7905,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
 	} else if (reg->type == CONST_PTR_TO_MAP) {
 		err = check_ptr_to_map_access(env, regs, regno, off, size, t,
 					      value_regno);
-	} else if (base_type(reg->type) == PTR_TO_BUF) {
+	} else if (base_type(reg->type) == PTR_TO_BUF &&
+		   !type_may_be_null(reg->type)) {
 		bool rdonly_mem = type_is_rdonly_mem(reg->type);
 		u32 *max_access;
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] bpf: reject direct access to nullable PTR_TO_BUF pointers
  2026-03-31 17:27 [PATCH] bpf: reject direct access to nullable PTR_TO_BUF pointers Qi Tang
@ 2026-03-31 17:50 ` Eduard Zingerman
  2026-04-01  2:23   ` Qi Tang
  0 siblings, 1 reply; 3+ messages in thread
From: Eduard Zingerman @ 2026-03-31 17:50 UTC (permalink / raw)
  To: Qi Tang, Alexei Starovoitov, Daniel Borkmann
  Cc: Andrii Nakryiko, Martin KaFai Lau, John Fastabend, Song Liu, bpf

On Wed, 2026-04-01 at 01:27 +0800, Qi Tang wrote:
> check_mem_access() matches PTR_TO_BUF via base_type() which strips
> PTR_MAYBE_NULL, allowing direct dereference without a null check.
> 
> Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL.
> On stop callbacks these are NULL, causing a kernel NULL dereference.
> 
> Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the
> existing PTR_TO_BTF_ID pattern.
> 
>   BUG: kernel NULL pointer dereference, address: 0000000000000000
>   Oops: Oops: 0000 [#1] SMP KASAN NOPTI
>   RIP: 0010:bpf_prog_5f0e2be830ac3243_null_deref_iter+0x10/0x25
>   Call Trace:
>    bpf_iter_run_prog+0x1c2/0x2e0
>    __bpf_hash_map_seq_show+0x120/0x180
>    bpf_seq_read+0x29c/0x530
>    vfs_read+0x179/0x930
>    ksys_read+0xef/0x1c0
>    do_syscall_64+0xe0/0x1290
>    entry_SYSCALL_64_after_hwframe+0x76/0x7e
>   Kernel panic - not syncing: Fatal exception
> 
> Fixes: 20b2aff4bc15 ("bpf: Introduce MEM_RDONLY flag")
> Signed-off-by: Qi Tang <tpluszz77@gmail.com>
> ---

Hi Qi Tang,

Could you please add a selftest for this change?

[...]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] bpf: reject direct access to nullable PTR_TO_BUF pointers
  2026-03-31 17:50 ` Eduard Zingerman
@ 2026-04-01  2:23   ` Qi Tang
  0 siblings, 0 replies; 3+ messages in thread
From: Qi Tang @ 2026-04-01  2:23 UTC (permalink / raw)
  To: Eduard Zingerman
  Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Martin KaFai Lau, John Fastabend, Song Liu, bpf, Qi Tang

Thanks for the review. Will send v2 with a selftest.

Qi Tang

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-01  2:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-31 17:27 [PATCH] bpf: reject direct access to nullable PTR_TO_BUF pointers Qi Tang
2026-03-31 17:50 ` Eduard Zingerman
2026-04-01  2:23   ` Qi Tang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox