From: sashiko-bot@kernel.org
To: "Amery Hung" <ameryhung@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf v1 1/1] bpf: Fix sk_local_storage diag dumping uninitialized special fields
Date: Fri, 24 Apr 2026 22:24:25 +0000 [thread overview]
Message-ID: <20260424222426.710D2C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260423222356.155387-1-ameryhung@gmail.com>
Sashiko AI review found 1 potential issue(s):
- [Critical] Calling `check_and_init_map_value()` on a netlink payload buffer writes kernel pointers into the message, causing a KASLR bypass.
--
commit 3db95684928f56c741f1722b8018d7049c261634
Author: Amery Hung <ameryhung@gmail.com>
bpf: Fix sk_local_storage diag dumping uninitialized special fields
This commit attempts to prevent uninitialized memory from being leaked to
userspace during socket diag dumps. It calls check_and_init_map_value() on
the netlink payload buffer to initialize special map fields that are skipped
by copy_map_value().
> diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c
> --- a/net/core/bpf_sk_storage.c
> +++ b/net/core/bpf_sk_storage.c
> @@ -558,6 +558,7 @@ static int diag_get(struct bpf_local_storage_data *sdata, struct sk_buff *skb)
> sdata->data, true);
> else
> copy_map_value(&smap->map, nla_data(nla_value), sdata->data);
> + check_and_init_map_value(&smap->map, nla_data(nla_value));
Does calling check_and_init_map_value() directly on the netlink payload leak
kernel pointers to userspace?
The function check_and_init_map_value() calls bpf_obj_init() to initialize
the special fields in the map value.
For fields like BPF_LIST_HEAD and BPF_RB_NODE, bpf_obj_init() invokes
initialization macros like INIT_LIST_HEAD() and RB_CLEAR_NODE().
INIT_LIST_HEAD() assigns self-referential pointers to the list structure:
static inline void INIT_LIST_HEAD(struct list_head *list)
{
WRITE_ONCE(list->next, list);
WRITE_ONCE(list->prev, list);
}
Because this initialization is performed directly on the allocated netlink
payload inside the socket buffer, valid kernel heap addresses are written
into the message instead of zeros. When this message is sent to userspace,
it leaks the kernel addresses.
>
> nla_nest_end(skb, nla_stg);
> return 0;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260423222356.155387-1-ameryhung@gmail.com?part=1
prev parent reply other threads:[~2026-04-24 22:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 22:23 [PATCH bpf v1 1/1] bpf: Fix sk_local_storage diag dumping uninitialized special fields Amery Hung
2026-04-23 23:50 ` Mykyta Yatsenko
2026-04-24 18:49 ` Martin KaFai Lau
2026-04-24 19:02 ` Mykyta Yatsenko
2026-04-24 19:00 ` patchwork-bot+netdevbpf
2026-04-24 22:24 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260424222426.710D2C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=ameryhung@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox