[PATCH bpf] selftests/bpf: Fix OOB read in dmabuf

Linux Kernel Selftest development
 help / color / mirror / Atom feed

* [PATCH bpf] selftests/bpf: Fix OOB read in dmabuf_collector
@ 2026-02-25  0:33 T.J. Mercier
  2026-02-25  1:41 ` T.J. Mercier
  2026-02-26 19:30 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 3+ messages in thread
From: T.J. Mercier @ 2026-02-25  0:33 UTC (permalink / raw)
  To: ast, daniel, andrii, bpf, shuah, linux-kselftest
  Cc: quic_sukadev, T.J. Mercier

Dmabuf name allocations can be less than DMA_BUF_NAME_LEN characters,
but bpf_probe_read_kernel always tries to read exactly that many bytes.
If a name is less than DMA_BUF_NAME_LEN characters,
bpf_probe_read_kernel will read past the end. bpf_probe_read_kernel_str
stops at the first NUL terminator so use it instead, like
iter_dmabuf_for_each already does.

Fixes: ae5d2c59ecd7 ("selftests/bpf: Add test for dmabuf_iter")
Reported-by: Sukadev Bhattiprolu <quic_sukadev@quicinc.com>
Signed-off-by: T.J. Mercier <tjmercier@google.com>
---
 tools/testing/selftests/bpf/progs/dmabuf_iter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/bpf/progs/dmabuf_iter.c b/tools/testing/selftests/bpf/progs/dmabuf_iter.c
index 13cdb11fdeb2..9cbb7442646e 100644
--- a/tools/testing/selftests/bpf/progs/dmabuf_iter.c
+++ b/tools/testing/selftests/bpf/progs/dmabuf_iter.c
@@ -48,7 +48,7 @@ int dmabuf_collector(struct bpf_iter__dmabuf *ctx)
 
 	/* Buffers are not required to be named */
 	if (pname) {
-		if (bpf_probe_read_kernel(name, sizeof(name), pname))
+		if (bpf_probe_read_kernel_str(name, sizeof(name), pname) < 0)
 			return 1;
 
 		/* Name strings can be provided by userspace */
-- 
2.53.0.414.gf7e9f6c205-goog


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH bpf] selftests/bpf: Fix OOB read in dmabuf_collector
  2026-02-25  0:33 [PATCH bpf] selftests/bpf: Fix OOB read in dmabuf_collector T.J. Mercier
@ 2026-02-25  1:41 ` T.J. Mercier
  2026-02-26 19:30 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: T.J. Mercier @ 2026-02-25  1:41 UTC (permalink / raw)
  To: ast, daniel, andrii, bpf, shuah, linux-kselftest; +Cc: quic_sukadev, jaewookl

On Tue, Feb 24, 2026 at 4:35 PM T.J. Mercier <tjmercier@google.com> wrote:
>
> Dmabuf name allocations can be less than DMA_BUF_NAME_LEN characters,
> but bpf_probe_read_kernel always tries to read exactly that many bytes.
> If a name is less than DMA_BUF_NAME_LEN characters,
> bpf_probe_read_kernel will read past the end. bpf_probe_read_kernel_str
> stops at the first NUL terminator so use it instead, like
> iter_dmabuf_for_each already does.
>
> Fixes: ae5d2c59ecd7 ("selftests/bpf: Add test for dmabuf_iter")
> Reported-by: Sukadev Bhattiprolu <quic_sukadev@quicinc.com>

Sukadev just let me know that Jerome Lee <jaewookl@quicinc.com> should
actually be the reporter here.

> Signed-off-by: T.J. Mercier <tjmercier@google.com>
> ---
>  tools/testing/selftests/bpf/progs/dmabuf_iter.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/bpf/progs/dmabuf_iter.c b/tools/testing/selftests/bpf/progs/dmabuf_iter.c
> index 13cdb11fdeb2..9cbb7442646e 100644
> --- a/tools/testing/selftests/bpf/progs/dmabuf_iter.c
> +++ b/tools/testing/selftests/bpf/progs/dmabuf_iter.c
> @@ -48,7 +48,7 @@ int dmabuf_collector(struct bpf_iter__dmabuf *ctx)
>
>         /* Buffers are not required to be named */
>         if (pname) {
> -               if (bpf_probe_read_kernel(name, sizeof(name), pname))
> +               if (bpf_probe_read_kernel_str(name, sizeof(name), pname) < 0)
>                         return 1;
>
>                 /* Name strings can be provided by userspace */
> --
> 2.53.0.414.gf7e9f6c205-goog
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH bpf] selftests/bpf: Fix OOB read in dmabuf_collector
  2026-02-25  0:33 [PATCH bpf] selftests/bpf: Fix OOB read in dmabuf_collector T.J. Mercier
  2026-02-25  1:41 ` T.J. Mercier
@ 2026-02-26 19:30 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-02-26 19:30 UTC (permalink / raw)
  To: T.J. Mercier
  Cc: ast, daniel, andrii, bpf, shuah, linux-kselftest, quic_sukadev

Hello:

This patch was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Tue, 24 Feb 2026 16:33:48 -0800 you wrote:
> Dmabuf name allocations can be less than DMA_BUF_NAME_LEN characters,
> but bpf_probe_read_kernel always tries to read exactly that many bytes.
> If a name is less than DMA_BUF_NAME_LEN characters,
> bpf_probe_read_kernel will read past the end. bpf_probe_read_kernel_str
> stops at the first NUL terminator so use it instead, like
> iter_dmabuf_for_each already does.
> 
> [...]

Here is the summary with links:
  - [bpf] selftests/bpf: Fix OOB read in dmabuf_collector
    https://git.kernel.org/bpf/bpf/c/6881af27f9ea

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-02-26 19:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-25  0:33 [PATCH bpf] selftests/bpf: Fix OOB read in dmabuf_collector T.J. Mercier
2026-02-25  1:41 ` T.J. Mercier
2026-02-26 19:30 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox