From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
To: sun jian <sun.jian.kdev@gmail.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net,
john.fastabend@gmail.com, andrii@kernel.org, eddyz87@gmail.com,
memxor@gmail.com, martin.lau@linux.dev, song@kernel.org,
yonghong.song@linux.dev, jolsa@kernel.org, emil@etsalapatis.com,
shuah@kernel.org, mmullins@fb.com, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH bpf v4 1/2] bpf: Reject negative const offsets for buffer pointers
Date: Thu, 9 Jul 2026 14:47:03 +0800 [thread overview]
Message-ID: <ak8XSRiLKx5WcIQw@u94a> (raw)
In-Reply-To: <CABFUUZHpPwuTk69hb54WugJwssFuvoqFFPv34dZRbKLLc1PwwQ@mail.gmail.com>
On Wed, Jul 08, 2026 at 10:11:01PM +0800, sun jian wrote:
[...]
> > > @@ -5326,14 +5326,18 @@ static int check_max_stack_depth(struct bpf_verifier_env *env)
> > > static int __check_buffer_access(struct bpf_verifier_env *env,
> > > const char *buf_info,
> > > const struct bpf_reg_state *reg,
> > > - argno_t argno, int off, int size)
> > > + argno_t argno, int off, int size,
> > > + u32 *access_end)
> > > {
> > > + s64 start, var_off;
> > > +
> > > if (off < 0) {
> > > verbose(env,
> > > "%s invalid %s buffer access: off=%d, size=%d\n",
> > > reg_arg_name(env, argno), buf_info, off, size);
> > > return -EACCES;
> > > }
> > > +
> > > if (!tnum_is_const(reg->var_off)) {
> > > char tn_buf[48];
> > >
> > > @@ -5344,6 +5348,29 @@ static int __check_buffer_access(struct bpf_verifier_env *env,
> > > return -EACCES;
> > > }
> > >
> > > + var_off = (s64)reg->var_off.value;
> > > + if (var_off >= BPF_MAX_VAR_OFF || var_off <= -BPF_MAX_VAR_OFF) {
> > > + verbose(env, "%s %s buffer offset %lld is not allowed\n",
> > > + reg_arg_name(env, argno), buf_info, var_off);
> > > + return -EACCES;
> > > + }
> > > +
> > > + start = var_off + off;
> > > + if (start < 0) {
> > > + verbose(env,
> > > + "%s invalid negative %s buffer offset: off=%d, var_off=%lld\n",
> > > + reg_arg_name(env, argno), buf_info, off, var_off);
> > > + return -EACCES;
> > > + }
> >
> > I was thinking of suggest to just do a single unsigned check
> >
> > var_off = reg->var_off.value;
> > if (var_off >= BPF_MAX_VAR_OFF) {
> > ...
> >
> > But looking at the code before 022ac0750883, what you have is closer
> > aligned to the previous behavior, let's stick to this.
Actually looking again at 022ac0750883, moving the `off < 0` after
tnum_is_const() and bringing back the `off += reg->off` removed from
check_mem_access() is perhaps the more faithful restoration of the
original behavior.
Though reg->off no longer exists, we have to use reg->var_off.value
instead. IIUC any register of pointer type should already have its
var_off bounded to +-BPF_MAX_VAR_OFF by adjust_ptr_min_max_vals() in
theory, and thus shouldn't overflow `int off`.
See the diff below.
[...]
> I agree that the size check is redundant given the current call path. I’ll leave
> v4 as-is for now to avoid another respin unless maintainers prefer dropping it
> or adding a short comment around the access_end calculation.
Agree and make sense. Let's see what @Eduard thinks.
---
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index d46f7db20d8f..e116b33ad83e 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5359,12 +5359,6 @@ static int __check_buffer_access(struct bpf_verifier_env *env,
const struct bpf_reg_state *reg,
argno_t argno, int off, int size)
{
- if (off < 0) {
- verbose(env,
- "%s invalid %s buffer access: off=%d, size=%d\n",
- reg_arg_name(env, argno), buf_info, off, size);
- return -EACCES;
- }
if (!tnum_is_const(reg->var_off)) {
char tn_buf[48];
@@ -5375,6 +5369,14 @@ static int __check_buffer_access(struct bpf_verifier_env *env,
return -EACCES;
}
+ off += reg->var_off.value;
+ if (off < 0) {
+ verbose(env,
+ "%s invalid %s buffer access: off=%d, size=%d\n",
+ reg_arg_name(env, argno), buf_info, off, size);
+ return -EACCES;
+ }
+
return 0;
}
next prev parent reply other threads:[~2026-07-09 6:47 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 9:01 [PATCH bpf v4 0/2] bpf: Reject negative const offsets for buffer pointers Sun Jian
2026-07-08 9:01 ` [PATCH bpf v4 1/2] " Sun Jian
2026-07-08 13:13 ` Shung-Hsi Yu
2026-07-08 14:11 ` sun jian
2026-07-09 6:47 ` Shung-Hsi Yu [this message]
2026-07-09 12:47 ` sun jian
2026-07-09 18:21 ` Eduard Zingerman
2026-07-10 5:52 ` sun jian
2026-07-10 6:23 ` Eduard Zingerman
2026-07-10 7:25 ` sun jian
2026-07-10 7:47 ` Eduard Zingerman
2026-07-10 8:00 ` Shung-Hsi Yu
2026-07-10 8:10 ` Shung-Hsi Yu
2026-07-10 10:27 ` sun jian
2026-07-08 9:01 ` [PATCH bpf v4 2/2] selftests/bpf: Cover negative raw_tp writable buffer offsets Sun Jian
2026-07-09 16:59 ` Eduard Zingerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ak8XSRiLKx5WcIQw@u94a \
--to=shung-hsi.yu@suse.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=mmullins@fb.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=sun.jian.kdev@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox