From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 434D530FF08; Mon, 13 Apr 2026 16:35:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776098159; cv=none; b=dumPa5WFEVu8XeAOv+5nwnjXacOL1LFD1QoauuN3Uq48f7BGsNqRuhV5qTx+cBFJEVjIsz1wBoNRpz7Rvi9mCVDP+ZBQobAkaRybRDBKmWlLGbwT0Q7O9ktGKN0cW3eInI29yjoMJTIx7jnnkSnJGMTPw6xG5KG+MPaK1wDj5hU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776098159; c=relaxed/simple; bh=9gcqSvZajY9Ellc3zS3W1W8ywBzF9Y7B3Pak/nqBHW8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RT2Dj9ZE8ufzNP0To9OWS9ZR+7ztQC+TR4Y5z7O6hifPNYq8e7Nx9jNrq0KgI2ib5+GHtqSALVnJy0vrSbqe0z7d1DQlnNPcMOZW5LzUSqgUToigkAlbvjxChlNpWVmx0CP37r45lR7G/y28Qbto3JuQ3HfVszhP9tu1ne1UhR8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=d4N2bJcX; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="d4N2bJcX" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4C2D6C2BCB3; Mon, 13 Apr 2026 16:35:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776098158; bh=9gcqSvZajY9Ellc3zS3W1W8ywBzF9Y7B3Pak/nqBHW8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d4N2bJcXRShihkEpSpxaJ0egJLjWNgL7kV0c1bNxvE1E/ptEOtHq7FUxczsyF/97s zgW1zHM/etkgOudzUgjSDnKxONESTTcoAvFzBVmeWH7CICqmTKQhNwedTyHRbpROlk nwqXu3aBxZTuGLKvRcpJOz9AXJGbZeKHEnUvm2Dw= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Amery Hung , Eduard Zingerman , Sasha Levin Subject: [PATCH 5.15 417/570] bpf: Fix regsafe() for pointers to packet Date: Mon, 13 Apr 2026 17:59:08 +0200 Message-ID: <20260413155846.092969315@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155830.386096114@linuxfoundation.org> References: <20260413155830.386096114@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alexei Starovoitov [ Upstream commit a8502a79e832b861e99218cbd2d8f4312d62e225 ] In case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == N regsafe() may return true which may lead to current state with valid packet range not being explored. Fix the bug. Fixes: 6d94e741a8ff ("bpf: Support for pointers beyond pkt_end.") Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Reviewed-by: Daniel Borkmann Reviewed-by: Amery Hung Acked-by: Eduard Zingerman Link: https://lore.kernel.org/bpf/20260331204228.26726-1-alexei.starovoitov@gmail.com Signed-off-by: Sasha Levin --- kernel/bpf/verifier.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 78daffc474899..13eede4c43d48 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -10599,8 +10599,13 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold, * since someone could have accessed through (ptr - k), or * even done ptr -= k in a register, to get a safe access. */ - if (rold->range > rcur->range) + if (rold->range < 0 || rcur->range < 0) { + /* special case for [BEYOND|AT]_PKT_END */ + if (rold->range != rcur->range) + return false; + } else if (rold->range > rcur->range) { return false; + } /* If the offsets don't match, we can't trust our alignment; * nor can we be sure that we won't fall out of range. */ -- 2.53.0