Re: [PATCH bpf v2 1/7] bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data()

BPF List
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Jiayuan Chen" <jiayuan.chen@linux.dev>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf v2 1/7] bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data()
Date: Thu, 11 Jun 2026 12:58:12 +0000	[thread overview]
Message-ID: <20260611125813.193281F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260611123538.156005-2-jiayuan.chen@linux.dev>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [Critical] bpf_msg_push_data and bpf_msg_pull_data lack a definitive `start <= msg->sg.size` validation. When operating on an empty or shrunk message, the do-while loop executes at least once and accesses the unused slot at `msg->sg.start`. This slot may contain a 'ghost' element from a previous `sk_msg_recvmsg` consumption, retaining a non-zero length and a freed page pointer. The lack of a `msg->sg.size` check allows a crafted `start` offset to bypass the bounds check, leading to a severe use-after-free.
- [High] Appending data to a full scatterlist ring bypasses the fallback path and corrupts the ring state. When `space == 0` and the append offset matches the end of the message, `bpf_msg_push_data` reads `copy = msg->sg.data[msg->sg.end].length`. If this unused slot is zero, the `if (copy)` fallback block is skipped. The function unconditionally increments `msg->sg.end`, forcing it to wrap around and equal `msg->sg.start`. This breaks the ring buffer state, causing `sk_msg_elem_used()` to return 0, falsely emptying the ring and leaking all previously allocated pages.
--

commit 82335dc5248913fa01b7466c6fedd541ff09a2f0
Author: Weiming Shi <bestswngs@gmail.com>

bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data()

This commit adds an overflow check to prevent copy + len from wrapping
around when allocating a page in bpf_msg_push_data. This fixes an issue
where an undersized allocation could lead to an out-of-bounds memcpy.

Link: https://lore.kernel.org/all/20260424155913.A19FDC19425@smtp.kernel.org

> diff --git a/net/core/filter.c b/net/core/filter.c
> index 9590877b0714f..3c8f1cedb217f 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -2829,6 +2829,9 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start,
>  	if (!space || (space == 1 && start != offset))
>  		copy = msg->sg.data[i].length;
>  
> +	if (unlikely(copy + len < copy))
> +		return -EINVAL;
> +
>  	page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC | __GFP_COMP,
>  			   get_order(copy + len));
>  	if (unlikely(!page))

[Severity: Critical]
This is a pre-existing issue, but does bpf_msg_push_data lack a definitive
start <= msg->sg.size validation?

When operating on an empty or shrunk message, the do-while loop executes
at least once and accesses the unused slot at msg->sg.start:

    do {
        offset += l;
        l = sk_msg_elem(msg, i)->length;

        if (start < offset + l)
            break;
        sk_msg_iter_var_next(i);
    } while (i != msg->sg.end);

    if (start > offset + l)
        return -EINVAL;

If sk_msg_recvmsg advances msg->sg.start and frees the page without
zeroing the element length or pointer, could this helper read a stale
ghost element?

Without a msg->sg.size validation, could the helper incorrectly accept the
bounds as valid, leading to memcpy operations on a freed page pointer?

[Severity: High]
This is a pre-existing issue, but does appending data to a full
scatterlist ring bypass the fallback path and corrupt the ring state?

When space is 0 and the append offset matches the end of the message,
bpf_msg_push_data reads copy = msg->sg.data[msg->sg.end].length:

    if (!space || (space == 1 && start != offset))
        copy = msg->sg.data[i].length;

If this unused slot is zero, the if (copy) fallback block is skipped:

    if (copy) {
        ...
        goto place_new;
    }

    ...

    /* Slot(s) to place newly allocated data */
    sk_msg_iter_next(msg, end);

Does this unconditionally increment msg->sg.end, forcing it to wrap around
and equal msg->sg.start?

If so, could this break the ring buffer state, causing sk_msg_elem_used to
return 0, falsely emptying the ring and leaking all previously allocated
pages?

[Severity: Critical]
This is a pre-existing issue, but does a similar logic apply to
bpf_msg_pull_data?

    do {
        offset += len;
        len = sk_msg_elem(msg, i)->length;
        if (start < offset + len)
            break;
        sk_msg_iter_var_next(i);
    } while (i != msg->sg.end);

    if (unlikely(start >= offset + len))
        return -EINVAL;

Could this fail to validate against the actual message size and proceed
to process freed scatterlist elements?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260611123538.156005-1-jiayuan.chen@linux.dev?part=1

next prev parent reply	other threads:[~2026-06-11 12:58 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-11 12:34 [PATCH bpf v2 0/7] bpf, skmsg: some fixes for skmsg Jiayuan Chen
2026-06-11 12:34 ` [PATCH bpf v2 1/7] bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data() Jiayuan Chen
2026-06-11 12:58   ` sashiko-bot [this message]
2026-06-11 16:27   ` Emil Tsalapatis
2026-06-11 16:53   ` Alexei Starovoitov
2026-06-12  2:03     ` Jiayuan Chen
2026-06-11 12:34 ` [PATCH bpf v2 2/7] bpf, sockmap: Fix wrong rsge offset " Jiayuan Chen
2026-06-11 12:54   ` sashiko-bot
2026-06-11 16:28   ` Emil Tsalapatis
2026-06-11 12:34 ` [PATCH bpf v2 3/7] bpf, sockmap: zero-initialize pages allocated in bpf_msg_push_data Jiayuan Chen
2026-06-11 14:55   ` sashiko-bot
2026-06-11 16:53   ` Emil Tsalapatis
2026-06-11 12:34 ` [PATCH bpf v2 4/7] bpf, sockmap: keep sk_msg copy state in sync Jiayuan Chen
2026-06-11 18:41   ` Emil Tsalapatis
2026-06-11 21:45   ` Cong Wang
2026-06-11 12:34 ` [PATCH bpf v2 5/7] sockmap: Fix use-after-free in udp_bpf_recvmsg() Jiayuan Chen
2026-06-11 12:53   ` sashiko-bot
2026-06-11 22:21     ` Emil Tsalapatis
2026-06-11 13:15   ` bot+bpf-ci
2026-06-11 22:21   ` Emil Tsalapatis
2026-06-11 12:34 ` [PATCH bpf v2 6/7] bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check Jiayuan Chen
2026-06-11 16:54   ` Emil Tsalapatis
2026-06-11 12:34 ` [PATCH bpf v2 7/7] selftests/bpf: add test for bpf_msg_pop_data() overflow Jiayuan Chen
2026-06-11 20:37   ` Emil Tsalapatis
2026-06-11 20:59 ` [PATCH bpf v2 0/7] bpf, skmsg: some fixes for skmsg Cong Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260611125813.193281F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=jiayuan.chen@linux.dev \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox