From: Sun Jian <sun.jian.kdev@gmail.com>
To: bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com,
andrii@kernel.org, eddyz87@gmail.com, memxor@gmail.com,
martin.lau@linux.dev, song@kernel.org, yonghong.song@linux.dev,
jolsa@kernel.org, emil@etsalapatis.com, shuah@kernel.org,
mmullins@fb.com, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org,
Sun Jian <sun.jian.kdev@gmail.com>
Subject: [PATCH bpf v2 1/2] bpf: Reject negative const offsets for buffer pointers
Date: Mon, 6 Jul 2026 23:08:03 -0700 [thread overview]
Message-ID: <20260707060804.93561-2-sun.jian.kdev@gmail.com> (raw)
In-Reply-To: <20260707060804.93561-1-sun.jian.kdev@gmail.com>
The verifier rejects variable offsets for PTR_TO_TP_BUFFER and PTR_TO_BUF
accesses, but it currently accepts a constant negative offset produced by
pointer arithmetic.
For example, a raw tracepoint writable program can load ctx[0] as a
PTR_TO_TP_BUFFER, move it by -8, and then access the adjusted pointer.
The access is before the tracepoint writable buffer base and should be
rejected.
Compute the signed effective buffer offset before updating max access
accounting. Reject negative effective offsets and use the checked access
end for max_tp_access and other buffer max access accounting.
Fixes: 9df1c28bb752 ("bpf: add writable context for raw tracepoints")
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
---
kernel/bpf/verifier.c | 40 ++++++++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 21a365d436a5..b4ed6d519630 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5326,14 +5326,18 @@ static int check_max_stack_depth(struct bpf_verifier_env *env)
static int __check_buffer_access(struct bpf_verifier_env *env,
const char *buf_info,
const struct bpf_reg_state *reg,
- argno_t argno, int off, int size)
+ argno_t argno, int off, int size,
+ u32 *access_end)
{
+ s64 start, var_off;
+
if (off < 0) {
verbose(env,
"%s invalid %s buffer access: off=%d, size=%d\n",
reg_arg_name(env, argno), buf_info, off, size);
return -EACCES;
}
+
if (!tnum_is_const(reg->var_off)) {
char tn_buf[48];
@@ -5344,6 +5348,29 @@ static int __check_buffer_access(struct bpf_verifier_env *env,
return -EACCES;
}
+ var_off = (s64)reg->var_off.value;
+ if (check_add_overflow(var_off, (s64)off, &start)) {
+ verbose(env,
+ "%s invalid %s buffer access: off=%d, var_off=%lld\n",
+ reg_arg_name(env, argno), buf_info, off, var_off);
+ return -EACCES;
+ }
+
+ if (start < 0) {
+ verbose(env,
+ "%s invalid negative %s buffer offset: off=%d, var_off=%lld\n",
+ reg_arg_name(env, argno), buf_info, off, var_off);
+ return -EACCES;
+ }
+
+ if (start > U32_MAX || size < 0 ||
+ check_add_overflow((u32)start, (u32)size, access_end)) {
+ verbose(env,
+ "%s invalid %s buffer access: off=%lld, size=%d\n",
+ reg_arg_name(env, argno), buf_info, start, size);
+ return -EACCES;
+ }
+
return 0;
}
@@ -5351,14 +5378,14 @@ static int check_tp_buffer_access(struct bpf_verifier_env *env,
const struct bpf_reg_state *reg,
argno_t argno, int off, int size)
{
+ u32 access_end;
int err;
- err = __check_buffer_access(env, "tracepoint", reg, argno, off, size);
+ err = __check_buffer_access(env, "tracepoint", reg, argno, off, size, &access_end);
if (err)
return err;
- env->prog->aux->max_tp_access = max(reg->var_off.value + off + size,
- env->prog->aux->max_tp_access);
+ env->prog->aux->max_tp_access = max(access_end, env->prog->aux->max_tp_access);
return 0;
}
@@ -5370,13 +5397,14 @@ static int check_buffer_access(struct bpf_verifier_env *env,
u32 *max_access)
{
const char *buf_info = type_is_rdonly_mem(reg->type) ? "rdonly" : "rdwr";
+ u32 access_end;
int err;
- err = __check_buffer_access(env, buf_info, reg, argno, off, size);
+ err = __check_buffer_access(env, buf_info, reg, argno, off, size, &access_end);
if (err)
return err;
- *max_access = max(reg->var_off.value + off + size, *max_access);
+ *max_access = max(access_end, *max_access);
return 0;
}
--
2.43.0
next prev parent reply other threads:[~2026-07-07 6:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 6:08 [PATCH bpf v2 0/2] bpf: Reject negative const offsets for buffer pointers Sun Jian
2026-07-07 6:08 ` Sun Jian [this message]
2026-07-07 7:17 ` [PATCH bpf v2 1/2] " Shung-Hsi Yu
2026-07-07 8:38 ` sun jian
2026-07-07 6:08 ` [PATCH bpf v2 2/2] selftests/bpf: Cover negative raw_tp writable buffer offsets Sun Jian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260707060804.93561-2-sun.jian.kdev@gmail.com \
--to=sun.jian.kdev@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=mmullins@fb.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox