BPF List
 help / color / mirror / Atom feed
* [PATCH bpf-next v3 0/2] bpf: Reject MEM_ALLOC BTF accesses past bounds
@ 2026-06-30  8:41 Yiyang Chen
  2026-06-30  8:41 ` [PATCH bpf-next v3 1/2] bpf: Reject MEM_ALLOC BTF accesses past object bounds Yiyang Chen
  2026-06-30  8:41 ` [PATCH bpf-next v3 2/2] selftests/bpf: Cover MEM_ALLOC access " Yiyang Chen
  0 siblings, 2 replies; 4+ messages in thread
From: Yiyang Chen @ 2026-06-30  8:41 UTC (permalink / raw)
  To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Eduard Zingerman, Kumar Kartikeya Dwivedi
  Cc: Yiyang Chen, John Fastabend, Martin KaFai Lau, Song Liu,
	Yonghong Song, Jiri Olsa, Emil Tsalapatis, Shuah Khan, bpf,
	linux-kselftest, linux-kernel

BTF struct walks can relax the top-level struct-size check for trailing
flexible arrays. That relaxation must not let a PTR_TO_BTF_ID | MEM_ALLOC
access escape the bytes allocated by bpf_obj_new() or bpf_percpu_obj_new().

Patch 1 rejects MEM_ALLOC BTF walks whose access range reaches past the
current struct size before applying the flexible-array relaxation. This now
also applies to struct ID matching used by kfunc and kptr type checks.
Patch 2 adds a linked_list negative loader case for this path.

Changes in v3:
- Pass the flexible-array walk policy through btf_struct_ids_match() callers,
  so MEM_ALLOC kfunc/kptr type checks use the same bounds rule.
- Rename the btf_struct_walk() parameter to walk_flex_arrays.
- Rebase onto current bpf-next.

v2:
https://lore.kernel.org/bpf/cover.1782197377.git.chenyy23@mails.tsinghua.edu.cn/

v1:
https://lore.kernel.org/bpf/cover.1782100805.git.chenyy23@mails.tsinghua.edu.cn/

Yiyang Chen (2):
  bpf: Reject MEM_ALLOC BTF accesses past object bounds
  selftests/bpf: Cover MEM_ALLOC access past object bounds

 include/linux/bpf.h                           |  2 +-
 kernel/bpf/btf.c                              | 17 +++++++++-----
 kernel/bpf/verifier.c                         | 11 +++++----
 .../selftests/bpf/prog_tests/linked_list.c    |  1 +
 .../selftests/bpf/progs/linked_list_fail.c    | 23 +++++++++++++++++++
 5 files changed, 43 insertions(+), 11 deletions(-)


base-commit: 53435562a725962e4de0c29653223129ba11643a
-- 
2.34.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-06-30  9:03 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30  8:41 [PATCH bpf-next v3 0/2] bpf: Reject MEM_ALLOC BTF accesses past bounds Yiyang Chen
2026-06-30  8:41 ` [PATCH bpf-next v3 1/2] bpf: Reject MEM_ALLOC BTF accesses past object bounds Yiyang Chen
2026-06-30  9:03   ` sashiko-bot
2026-06-30  8:41 ` [PATCH bpf-next v3 2/2] selftests/bpf: Cover MEM_ALLOC access " Yiyang Chen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox