BPF List
 help / color / mirror / Atom feed
* [PATCH bpf-next v1 0/2] Fix leftover issues of the unify bpf_call_arg_meta patchset
@ 2026-07-15 17:21 Amery Hung
  2026-07-15 17:21 ` [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek Amery Hung
  2026-07-15 17:21 ` [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it Amery Hung
  0 siblings, 2 replies; 11+ messages in thread
From: Amery Hung @ 2026-07-15 17:21 UTC (permalink / raw)
  To: bpf
  Cc: alexei.starovoitov, andrii, daniel, eddyz87, memxor, ameryhung,
	kernel-team

Hi,

This patchset fixes preexisting issues flagged by Sashiko when reviewing
the patchset unifying bpf_call_arg_meta [0].

[0] https://lore.kernel.org/bpf/20260715064047.1793790-1-ameryhung@gmail.com/

Amery Hung (2):
  bpf: Disable raw mdoe for bloom filter map_peek
  bpf: Zero kfunc arg meta before error paths can read it

 kernel/bpf/verifier.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

-- 
2.52.0


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek
  2026-07-15 17:21 [PATCH bpf-next v1 0/2] Fix leftover issues of the unify bpf_call_arg_meta patchset Amery Hung
@ 2026-07-15 17:21 ` Amery Hung
  2026-07-15 17:38   ` sashiko-bot
                     ` (2 more replies)
  2026-07-15 17:21 ` [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it Amery Hung
  1 sibling, 3 replies; 11+ messages in thread
From: Amery Hung @ 2026-07-15 17:21 UTC (permalink / raw)
  To: bpf
  Cc: alexei.starovoitov, andrii, daniel, eddyz87, memxor, ameryhung,
	kernel-team

For a bloom filter, the value argument of bpf_map_peek_elem() is always
an input. Therefore, the verifier should not allow passing uninitialized
stack memory to it to avoid information leak.

bpf_map_peek_elem() tags its value argument ARG_PTR_TO_MAP_VALUE |
MEM_UNINIT, telling the verifier the callee fills the buffer. This holds
for queue/stack maps, but not for a bloom filter, which reads the buffer
as an input to test set membership and never writes it.

As a result, a program can pass an uninitialized stack buffer to
bpf_map_peek_elem() on a bloom filter. The verifier accepts it and marks
the buffer initialized on return, letting the program read back leftover
kernel stack memory. Bloom maps require CAP_BPF to create, so this is a
CAP_BPF-gated stack infoleak that bypasses the boundary CAP_BPF is meant
to enforce (arbitrary kernel reads are gated behind CAP_PERFMON).

Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
 kernel/bpf/verifier.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index de816063ae63..c87e5fec5a85 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8422,6 +8422,15 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 			verifier_bug(env, "invalid map_ptr to access map->value");
 			return -EFAULT;
 		}
+
+		/*
+		 * Disable raw mode for bpf_map_peek_elem() on a bloom filter. The helper reads
+		 * the value buffer as an input rather than filling it.
+		 */
+		if (meta->func_id == BPF_FUNC_map_peek_elem &&
+		    meta->map.ptr->map_type == BPF_MAP_TYPE_BLOOM_FILTER)
+			meta->arg_raw_mem.regno = 0;
+
 		err = check_helper_mem_access(env, reg, argno, meta->map.ptr->value_size,
 					      arg_type & MEM_WRITE ? BPF_WRITE : BPF_READ,
 					      false, meta);
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it
  2026-07-15 17:21 [PATCH bpf-next v1 0/2] Fix leftover issues of the unify bpf_call_arg_meta patchset Amery Hung
  2026-07-15 17:21 ` [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek Amery Hung
@ 2026-07-15 17:21 ` Amery Hung
  2026-07-15 17:38   ` sashiko-bot
                     ` (2 more replies)
  1 sibling, 3 replies; 11+ messages in thread
From: Amery Hung @ 2026-07-15 17:21 UTC (permalink / raw)
  To: bpf
  Cc: alexei.starovoitov, andrii, daniel, eddyz87, memxor, ameryhung,
	kernel-team

check_kfunc_call() reads meta.func_name when bpf_fetch_kfunc_arg_meta()
returns -EACCES, but that error can come from fetch_kfunc_meta() (e.g.
fd_array_get_btf() rejecting BTF binding for a signed program) before
meta is memset(), leaving it uninitialized and risking a garbage deref
in verbose().

Move the memset() to the start of bpf_fetch_kfunc_arg_meta() so meta is
zeroed on every error return. The intended "not allowed" -EACCES path
still sets func_name first, so its message is unchanged.

Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
 kernel/bpf/verifier.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index c87e5fec5a85..ddfa4f57016b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12571,11 +12571,12 @@ int bpf_fetch_kfunc_arg_meta(struct bpf_verifier_env *env,
 	struct bpf_kfunc_meta kfunc;
 	int err;
 
+	memset(meta, 0, sizeof(*meta));
+
 	err = fetch_kfunc_meta(env, func_id, offset, &kfunc);
 	if (err)
 		return err;
 
-	memset(meta, 0, sizeof(*meta));
 	meta->btf = kfunc.btf;
 	meta->func_id = kfunc.id;
 	meta->func_proto = kfunc.proto;
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 11+ messages in thread

* Re: [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek
  2026-07-15 17:21 ` [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek Amery Hung
@ 2026-07-15 17:38   ` sashiko-bot
  2026-07-15 18:07     ` Kumar Kartikeya Dwivedi
  2026-07-15 18:06   ` bot+bpf-ci
  2026-07-15 18:18   ` Kumar Kartikeya Dwivedi
  2 siblings, 1 reply; 11+ messages in thread
From: sashiko-bot @ 2026-07-15 17:38 UTC (permalink / raw)
  To: Amery Hung; +Cc: bpf

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] bpf_map_pop_elem() and bpf_map_peek_elem() leak uninitialized kernel stack memory on queue and stack maps if the map's spinlock is contended.
--

--- Patch [1]: [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek ---
commit 89de02f623877f9e477f4639136b8a23b2fbbd7c
Author: Amery Hung <ameryhung@gmail.com>

bpf: Disable raw mdoe for bloom filter map_peek

This commit prevents an information leak by disabling raw mode for
bpf_map_peek_elem() when used with a bloom filter. It notes that unlike
queue or stack maps, bloom filters use the value buffer as an input and
do not fill it.

> bpf: Disable raw mdoe for bloom filter map_peek

[Severity: Low]
This isn't a bug, but there is a typo (mdoe) in the commit subject line.

> bpf_map_peek_elem() tags its value argument ARG_PTR_TO_MAP_VALUE |
> MEM_UNINIT, telling the verifier the callee fills the buffer. This holds
> for queue/stack maps, but not for a bloom filter, which reads the buffer
> as an input to test set membership and never writes it.

[Severity: High]
This is a pre-existing issue and was not introduced by this patch, but
since the commit message mentions that the MEM_UNINIT assumption holds for
queue and stack maps, does it hold true if the map's spinlock is contended?

Looking at __queue_map_get() in kernel/bpf/queue_stack_maps.c:

	if (raw_res_spin_lock_irqsave(&qs->lock, flags))
		return -EBUSY;

And similarly in __stack_map_get():

	if (raw_res_spin_lock_irqsave(&qs->lock, flags))
		return -EBUSY;

If the lock fails (e.g. due to deadlock detection), these functions return
-EBUSY immediately without zero-initializing the output memory. Since the
verifier assumes the buffer is initialized due to the MEM_UNINIT tag, could
a BPF program read uninitialized kernel stack memory if bpf_map_pop_elem()
or bpf_map_peek_elem() is called on a queue or stack map and hits this
contention path?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260715172127.2416388-1-ameryhung@gmail.com?part=1

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it
  2026-07-15 17:21 ` [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it Amery Hung
@ 2026-07-15 17:38   ` sashiko-bot
  2026-07-15 18:11     ` Kumar Kartikeya Dwivedi
  2026-07-15 18:06   ` bot+bpf-ci
  2026-07-15 18:09   ` Kumar Kartikeya Dwivedi
  2 siblings, 1 reply; 11+ messages in thread
From: sashiko-bot @ 2026-07-15 17:38 UTC (permalink / raw)
  To: Amery Hung; +Cc: bpf

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] BPF kfuncs bpf_mem_cgroup_memory_events and bpf_mem_cgroup_vm_events do not handle negative enum values, bypassing bounds checks and allowing out-of-bounds array reads.
--

--- Patch [2]: [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it ---
commit 53f60dae3990fbb436a03cb878e7564339ccd1e9
Author: Amery Hung <ameryhung@gmail.com>

bpf: Zero kfunc arg meta before error paths can read it

check_kfunc_call() reads meta.func_name when bpf_fetch_kfunc_arg_meta()
returns -EACCES, but that error can come from fetch_kfunc_meta() (e.g.
fd_array_get_btf() rejecting BTF binding for a signed program) before
meta is memset(), leaving it uninitialized and risking a garbage deref
in verbose().

Move the memset() to the start of bpf_fetch_kfunc_arg_meta() so meta is
zeroed on every error return. The intended "not allowed" -EACCES path
still sets func_name first, so its message is unchanged.

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index c87e5fec5a857..ddfa4f57016b7 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c

[ ... ]

[Severity: High]
This isn't a bug introduced by this patch, but this is a pre-existing issue.
Do the bounds checks in bpf_mem_cgroup_memory_events() and
bpf_mem_cgroup_vm_events() properly handle negative values?

Since enums evaluate to signed integers in C, and the BPF verifier does
not enforce enum ranges, a BPF program could pass a negative value to
bpf_mem_cgroup_memory_events() in mm/bpf_memcontrol.c:

	if (unlikely(event >= MEMCG_NR_MEMORY_EVENTS))
		return (unsigned long)-1;

	return atomic_long_read(&memcg->memory_events[event]);

For a negative value, the bounds check above evaluates to false, which
allows an out-of-bounds read on the memory_events array.

Can a similar out-of-bounds read happen in bpf_mem_cgroup_vm_events()?

	if (unlikely(!memcg_vm_event_item_valid(event)))
		return (unsigned long)-1;

	return memcg_events(memcg, event);

The validation routine in mm/memcontrol.c uses the same signed comparison:

bool memcg_vm_event_item_valid(enum vm_event_item idx)
{
	if (idx >= NR_VM_EVENT_ITEMS)
		return false;

	return !BAD_STAT_IDX(memcg_events_index(idx));
}

This allows negative index values to reach memcg_events_index():

static inline int memcg_events_index(enum vm_event_item idx)
{
	return mem_cgroup_events_index[idx];
}

Could this allow a BPF program to read arbitrary out-of-bounds kernel memory?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260715172127.2416388-1-ameryhung@gmail.com?part=2

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it
  2026-07-15 17:21 ` [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it Amery Hung
  2026-07-15 17:38   ` sashiko-bot
@ 2026-07-15 18:06   ` bot+bpf-ci
  2026-07-15 18:09   ` Kumar Kartikeya Dwivedi
  2 siblings, 0 replies; 11+ messages in thread
From: bot+bpf-ci @ 2026-07-15 18:06 UTC (permalink / raw)
  To: ameryhung, bpf
  Cc: alexei.starovoitov, andrii, daniel, eddyz87, memxor, ameryhung,
	kernel-team, ast, andrii, daniel, martin.lau, eddyz87,
	yonghong.song, clm, ihor.solodrai

[-- Attachment #1: Type: text/plain, Size: 1204 bytes --]

>     bpf: Zero kfunc arg meta before error paths can read it
>
>     check_kfunc_call() reads meta.func_name when bpf_fetch_kfunc_arg_meta()
>     returns -EACCES, but that error can come from fetch_kfunc_meta() (e.g.
>     fd_array_get_btf() rejecting BTF binding for a signed program) before
>     meta is memset(), leaving it uninitialized and risking a garbage deref
>     in verbose().
>
>     Move the memset() to the start of bpf_fetch_kfunc_arg_meta() so meta is
>     zeroed on every error return. The intended "not allowed" -EACCES path
>     still sets func_name first, so its message is unchanged.
>
>     Signed-off-by: Amery Hung <ameryhung@gmail.com>

This looks like a fix for an uninitialized read introduced when
fetch_kfunc_meta() was added and bpf_fetch_kfunc_arg_meta() was reordered so
the memset() ran after the fetch could return -EACCES.  Should this include a
Fixes: tag?

  Fixes: 08ca87d63243 ("bpf: Introduce struct bpf_kfunc_meta")


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/29436864141

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek
  2026-07-15 17:21 ` [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek Amery Hung
  2026-07-15 17:38   ` sashiko-bot
@ 2026-07-15 18:06   ` bot+bpf-ci
  2026-07-15 18:18   ` Kumar Kartikeya Dwivedi
  2 siblings, 0 replies; 11+ messages in thread
From: bot+bpf-ci @ 2026-07-15 18:06 UTC (permalink / raw)
  To: ameryhung, bpf
  Cc: alexei.starovoitov, andrii, daniel, eddyz87, memxor, ameryhung,
	kernel-team, ast, andrii, daniel, martin.lau, eddyz87,
	yonghong.song, clm, ihor.solodrai

[-- Attachment #1: Type: text/plain, Size: 1609 bytes --]

> commit 54799fbcec7677972df927e8da6804b0cd39495d
> Author: Amery Hung <ameryhung@gmail.com>
>
>     bpf: Disable raw mdoe for bloom filter map_peek
>
>     For a bloom filter, the value argument of bpf_map_peek_elem() is always
>     an input. Therefore, the verifier should not allow passing uninitialized
>     stack memory to it to avoid information leak.
>
>     bpf_map_peek_elem() tags its value argument ARG_PTR_TO_MAP_VALUE |
>     MEM_UNINIT, telling the verifier the callee fills the buffer. This holds
>     for queue/stack maps, but not for a bloom filter, which reads the buffer
>     as an input to test set membership and never writes it.
>
>     As a result, a program can pass an uninitialized stack buffer to
>     bpf_map_peek_elem() on a bloom filter. The verifier accepts it and marks
>     the buffer initialized on return, letting the program read back leftover
>     kernel stack memory. Bloom maps require CAP_BPF to create, so this is a
>     CAP_BPF-gated stack infoleak that bypasses the boundary CAP_BPF is meant
>     to enforce (arbitrary kernel reads are gated behind CAP_PERFMON).
>
>     Signed-off-by: Amery Hung <ameryhung@gmail.com>

This looks like a bug fix for the raw mode handling introduced in commit
92ec8b1b6b24. Should this include:

  Fixes: 92ec8b1b6b24 ("bpf: Factor out raw_mode-related fields in bpf_call_arg_meta")


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/29436864141

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek
  2026-07-15 17:38   ` sashiko-bot
@ 2026-07-15 18:07     ` Kumar Kartikeya Dwivedi
  0 siblings, 0 replies; 11+ messages in thread
From: Kumar Kartikeya Dwivedi @ 2026-07-15 18:07 UTC (permalink / raw)
  To: sashiko-reviews, Amery Hung; +Cc: bpf

On Wed Jul 15, 2026 at 7:38 PM CEST, sashiko-bot wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] bpf_map_pop_elem() and bpf_map_peek_elem() leak uninitialized kernel stack memory on queue and stack maps if the map's spinlock is contended.
> --
>
> --- Patch [1]: [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek ---
> commit 89de02f623877f9e477f4639136b8a23b2fbbd7c
> Author: Amery Hung <ameryhung@gmail.com>
>
> bpf: Disable raw mdoe for bloom filter map_peek
>
> This commit prevents an information leak by disabling raw mode for
> bpf_map_peek_elem() when used with a bloom filter. It notes that unlike
> queue or stack maps, bloom filters use the value buffer as an input and
> do not fill it.
>
>> bpf: Disable raw mdoe for bloom filter map_peek
>
> [Severity: Low]
> This isn't a bug, but there is a typo (mdoe) in the commit subject line.
>
>> bpf_map_peek_elem() tags its value argument ARG_PTR_TO_MAP_VALUE |
>> MEM_UNINIT, telling the verifier the callee fills the buffer. This holds
>> for queue/stack maps, but not for a bloom filter, which reads the buffer
>> as an input to test set membership and never writes it.
>
> [Severity: High]
> This is a pre-existing issue and was not introduced by this patch, but
> since the commit message mentions that the MEM_UNINIT assumption holds for
> queue and stack maps, does it hold true if the map's spinlock is contended?
>
> Looking at __queue_map_get() in kernel/bpf/queue_stack_maps.c:
>
> 	if (raw_res_spin_lock_irqsave(&qs->lock, flags))
> 		return -EBUSY;
>
> And similarly in __stack_map_get():
>
> 	if (raw_res_spin_lock_irqsave(&qs->lock, flags))
> 		return -EBUSY;
>

We should probably do memset(value, 0, qs->map.value_size) like the case below
in the branch returning -EBUSY.

> If the lock fails (e.g. due to deadlock detection), these functions return
> -EBUSY immediately without zero-initializing the output memory. Since the
> verifier assumes the buffer is initialized due to the MEM_UNINIT tag, could
> a BPF program read uninitialized kernel stack memory if bpf_map_pop_elem()
> or bpf_map_peek_elem() is called on a queue or stack map and hits this
> contention path?


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it
  2026-07-15 17:21 ` [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it Amery Hung
  2026-07-15 17:38   ` sashiko-bot
  2026-07-15 18:06   ` bot+bpf-ci
@ 2026-07-15 18:09   ` Kumar Kartikeya Dwivedi
  2 siblings, 0 replies; 11+ messages in thread
From: Kumar Kartikeya Dwivedi @ 2026-07-15 18:09 UTC (permalink / raw)
  To: Amery Hung, bpf
  Cc: alexei.starovoitov, andrii, daniel, eddyz87, memxor, kernel-team

On Wed Jul 15, 2026 at 7:21 PM CEST, Amery Hung wrote:
> check_kfunc_call() reads meta.func_name when bpf_fetch_kfunc_arg_meta()
> returns -EACCES, but that error can come from fetch_kfunc_meta() (e.g.
> fd_array_get_btf() rejecting BTF binding for a signed program) before
> meta is memset(), leaving it uninitialized and risking a garbage deref
> in verbose().
>
> Move the memset() to the start of bpf_fetch_kfunc_arg_meta() so meta is
> zeroed on every error return. The intended "not allowed" -EACCES path
> still sets func_name first, so its message is unchanged.
>
> Signed-off-by: Amery Hung <ameryhung@gmail.com>
> ---

Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it
  2026-07-15 17:38   ` sashiko-bot
@ 2026-07-15 18:11     ` Kumar Kartikeya Dwivedi
  0 siblings, 0 replies; 11+ messages in thread
From: Kumar Kartikeya Dwivedi @ 2026-07-15 18:11 UTC (permalink / raw)
  To: sashiko-reviews, Amery Hung; +Cc: bpf, Roman Gushchin

On Wed Jul 15, 2026 at 7:38 PM CEST, sashiko-bot wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] BPF kfuncs bpf_mem_cgroup_memory_events and bpf_mem_cgroup_vm_events do not handle negative enum values, bypassing bounds checks and allowing out-of-bounds array reads.
> --
>
> --- Patch [2]: [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it ---
> commit 53f60dae3990fbb436a03cb878e7564339ccd1e9
> Author: Amery Hung <ameryhung@gmail.com>
>
> bpf: Zero kfunc arg meta before error paths can read it
>
> check_kfunc_call() reads meta.func_name when bpf_fetch_kfunc_arg_meta()
> returns -EACCES, but that error can come from fetch_kfunc_meta() (e.g.
> fd_array_get_btf() rejecting BTF binding for a signed program) before
> meta is memset(), leaving it uninitialized and risking a garbage deref
> in verbose().
>
> Move the memset() to the start of bpf_fetch_kfunc_arg_meta() so meta is
> zeroed on every error return. The intended "not allowed" -EACCES path
> still sets func_name first, so its message is unchanged.
>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index c87e5fec5a857..ddfa4f57016b7 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>
> [ ... ]
>
> [Severity: High]
> This isn't a bug introduced by this patch, but this is a pre-existing issue.
> Do the bounds checks in bpf_mem_cgroup_memory_events() and
> bpf_mem_cgroup_vm_events() properly handle negative values?
>
> Since enums evaluate to signed integers in C, and the BPF verifier does
> not enforce enum ranges, a BPF program could pass a negative value to
> bpf_mem_cgroup_memory_events() in mm/bpf_memcontrol.c:
>
> 	if (unlikely(event >= MEMCG_NR_MEMORY_EVENTS))
> 		return (unsigned long)-1;
>
> 	return atomic_long_read(&memcg->memory_events[event]);
>
> For a negative value, the bounds check above evaluates to false, which
> allows an out-of-bounds read on the memory_events array.
>
> Can a similar out-of-bounds read happen in bpf_mem_cgroup_vm_events()?
>
> 	if (unlikely(!memcg_vm_event_item_valid(event)))
> 		return (unsigned long)-1;
>

+Cc Roman

I think we should just do:

	if (unlikely(event < 0 || !memcg_vm_event_item_valid(event)))
 		return (unsigned long)-1;

as fix?

> 	return memcg_events(memcg, event);
>
> The validation routine in mm/memcontrol.c uses the same signed comparison:
>
> bool memcg_vm_event_item_valid(enum vm_event_item idx)
> {
> 	if (idx >= NR_VM_EVENT_ITEMS)
> 		return false;
>
> 	return !BAD_STAT_IDX(memcg_events_index(idx));
> }
>
> This allows negative index values to reach memcg_events_index():
>
> static inline int memcg_events_index(enum vm_event_item idx)
> {
> 	return mem_cgroup_events_index[idx];
> }
>
> Could this allow a BPF program to read arbitrary out-of-bounds kernel memory?


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek
  2026-07-15 17:21 ` [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek Amery Hung
  2026-07-15 17:38   ` sashiko-bot
  2026-07-15 18:06   ` bot+bpf-ci
@ 2026-07-15 18:18   ` Kumar Kartikeya Dwivedi
  2 siblings, 0 replies; 11+ messages in thread
From: Kumar Kartikeya Dwivedi @ 2026-07-15 18:18 UTC (permalink / raw)
  To: Amery Hung, bpf
  Cc: alexei.starovoitov, andrii, daniel, eddyz87, memxor, kernel-team

On Wed Jul 15, 2026 at 7:21 PM CEST, Amery Hung wrote:
> For a bloom filter, the value argument of bpf_map_peek_elem() is always
> an input. Therefore, the verifier should not allow passing uninitialized
> stack memory to it to avoid information leak.
>
> bpf_map_peek_elem() tags its value argument ARG_PTR_TO_MAP_VALUE |
> MEM_UNINIT, telling the verifier the callee fills the buffer. This holds
> for queue/stack maps, but not for a bloom filter, which reads the buffer
> as an input to test set membership and never writes it.
>
> As a result, a program can pass an uninitialized stack buffer to
> bpf_map_peek_elem() on a bloom filter. The verifier accepts it and marks
> the buffer initialized on return, letting the program read back leftover
> kernel stack memory. Bloom maps require CAP_BPF to create, so this is a
> CAP_BPF-gated stack infoleak that bypasses the boundary CAP_BPF is meant
> to enforce (arbitrary kernel reads are gated behind CAP_PERFMON).
>
> Signed-off-by: Amery Hung <ameryhung@gmail.com>
> ---

Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

>  kernel/bpf/verifier.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index de816063ae63..c87e5fec5a85 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -8422,6 +8422,15 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
>  			verifier_bug(env, "invalid map_ptr to access map->value");
>  			return -EFAULT;
>  		}
> +
> +		/*
> +		 * Disable raw mode for bpf_map_peek_elem() on a bloom filter. The helper reads
> +		 * the value buffer as an input rather than filling it.
> +		 */
> +		if (meta->func_id == BPF_FUNC_map_peek_elem &&
> +		    meta->map.ptr->map_type == BPF_MAP_TYPE_BLOOM_FILTER)
> +			meta->arg_raw_mem.regno = 0;
> +

Sigh. Such unfortunate misuse of semantics.

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2026-07-15 18:18 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-15 17:21 [PATCH bpf-next v1 0/2] Fix leftover issues of the unify bpf_call_arg_meta patchset Amery Hung
2026-07-15 17:21 ` [PATCH bpf-next v1 1/2] bpf: Disable raw mdoe for bloom filter map_peek Amery Hung
2026-07-15 17:38   ` sashiko-bot
2026-07-15 18:07     ` Kumar Kartikeya Dwivedi
2026-07-15 18:06   ` bot+bpf-ci
2026-07-15 18:18   ` Kumar Kartikeya Dwivedi
2026-07-15 17:21 ` [PATCH bpf-next v1 2/2] bpf: Zero kfunc arg meta before error paths can read it Amery Hung
2026-07-15 17:38   ` sashiko-bot
2026-07-15 18:11     ` Kumar Kartikeya Dwivedi
2026-07-15 18:06   ` bot+bpf-ci
2026-07-15 18:09   ` Kumar Kartikeya Dwivedi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox