Re: [PATCH bpf-next 2/2] selftests/hid: Cover hid_bpf_get_data() size overflow

["Emil Tsalapatis" <emil@etsalapatis.com>]

On Tue Jun 16, 2026 at 12:35 PM EDT, Yiyang Chen wrote:
> Add a HID-BPF regression check for hid_bpf_get_data() requests whose
> size would overflow when added to the offset.
>
> The new rdesc fixup callback asks for offset 2 and size ~0ULL, then
> records whether the helper returns NULL. A vulnerable kernel returns a
> non-NULL pointer because the runtime check wraps the addition. A fixed
> kernel rejects the request. The test only checks the helper result and
> does not dereference the returned pointer.
>
> Also add KHDR_INCLUDES to the HID selftest build so hid_bpf.c sees the
> current kernel UAPI HID definitions on systems whose installed headers do
> not provide enum hid_report_type.
>
> Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn>
> ---
>  tools/testing/selftests/hid/Makefile    |  2 +-
>  tools/testing/selftests/hid/hid_bpf.c   | 11 +++++++++++
>  tools/testing/selftests/hid/progs/hid.c | 18 ++++++++++++++++++
>  3 files changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/hid/Makefile b/tools/testing/selftests/hid/Makefile
> index 50ec9e0406aba..357c6eb5ff5ee 100644
> --- a/tools/testing/selftests/hid/Makefile
> +++ b/tools/testing/selftests/hid/Makefile
> @@ -24,7 +24,7 @@ CXX ?= $(CROSS_COMPILE)g++
>  
>  HOSTPKG_CONFIG := pkg-config
>  
> -CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT)
> +CFLAGS += -g -O0 -rdynamic -Wall -Werror -I$(OUTPUT) $(KHDR_INCLUDES)
>  CFLAGS += -I$(OUTPUT)/tools/include
>  
>  LDLIBS += -lelf -lz -lrt -lpthread
> diff --git a/tools/testing/selftests/hid/hid_bpf.c b/tools/testing/selftests/hid/hid_bpf.c
> index 1e979fb3542ba..f0a210900e63d 100644
> --- a/tools/testing/selftests/hid/hid_bpf.c
> +++ b/tools/testing/selftests/hid/hid_bpf.c
> @@ -887,6 +887,17 @@ TEST_F(hid_bpf, test_rdesc_fixup)
>  	ASSERT_EQ(rpt_desc.value[4], 0x42);
>  }
>  
> +TEST_F(hid_bpf, test_rdesc_fixup_get_data_overflow)
> +{
> +	const struct test_program progs[] = {
> +		{ .name = "hid_rdesc_fixup_get_data_overflow" },
> +	};
> +
> +	LOAD_PROGRAMS(progs);
> +
> +	ASSERT_EQ(self->skel->bss->get_data_overflow_check, 1);

Can you just use the return value of the method? Why the separate
variable?

> +}
> +
>  static int libbpf_print_fn(enum libbpf_print_level level,
>  			   const char *format, va_list args)
>  {
> diff --git a/tools/testing/selftests/hid/progs/hid.c b/tools/testing/selftests/hid/progs/hid.c
> index 5ecc845ef7921..c6ae2cd045b0e 100644
> --- a/tools/testing/selftests/hid/progs/hid.c
> +++ b/tools/testing/selftests/hid/progs/hid.c
> @@ -13,6 +13,7 @@ struct attach_prog_args {
>  
>  __u64 callback_check = 52;
>  __u64 callback2_check = 52;
> +__u64 get_data_overflow_check;
>  
>  SEC("?struct_ops/hid_device_event")
>  int BPF_PROG(hid_first_event, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
> @@ -240,6 +241,23 @@ struct hid_bpf_ops rdesc_fixup = {
>  	.hid_rdesc_fixup = (void *)hid_rdesc_fixup,
>  };
>  
> +SEC("?struct_ops.s/hid_rdesc_fixup")
> +int BPF_PROG(hid_rdesc_fixup_get_data_overflow, struct hid_bpf_ctx *hid_ctx)
> +{
> +	__u8 *data;
> +
> +	data = hid_bpf_get_data(hid_ctx, 2 /* offset */, ~0ULL /* size */);
> +	if (!data)
> +		get_data_overflow_check = 1;
> +
> +	return 0;
> +}
> +
> +SEC(".struct_ops.link")
> +struct hid_bpf_ops rdesc_fixup_get_data_overflow = {
> +	.hid_rdesc_fixup = (void *)hid_rdesc_fixup_get_data_overflow,
> +};
> +
>  SEC("?struct_ops/hid_device_event")
>  int BPF_PROG(hid_test_insert1, struct hid_bpf_ctx *hid_ctx, enum hid_report_type type)
>  {