From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qt1-f172.google.com (mail-qt1-f172.google.com [209.85.160.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1895418DB2A for ; Tue, 14 Jul 2026 09:39:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784021947; cv=none; b=LaySjPVQWOujXXD9dYgHSlcFBPMq4iWpuvkalJKnTO6Ig0Mx49yXIlDA6hRCzHrNR555WcT/e9jkvXH8MTX9IdIue86pI/TJs0WSvSNx07nAjI62snoOEkkD10YqlreJ85mGWhUUfim4w8NSZmgZ8qh/o5WCIreRj7CtNHB2P2Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784021947; c=relaxed/simple; bh=q4FOW+IFo8rnGMWf5TfWHsFPOMl10UYg6rO8gBqFIRs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=K9+ljTLD/4WPYM1fAOaO88QDmTzcsaWpi4dROUzwlYhcFyY2FbbOlV0PXGC9tsOzdzrGHKP545IfD9EP3FX16TRKHqMIJAVbNbE6xUDJFsFgafBRStWgFfq+/zwjji1C48Mt7FJOGqtFAoDjpgKbZKugSeOjE5zZNp52I/iR0UA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AF5yRpBG; arc=none smtp.client-ip=209.85.160.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AF5yRpBG" Received: by mail-qt1-f172.google.com with SMTP id d75a77b69052e-51bfb91795eso34881541cf.1 for ; Tue, 14 Jul 2026 02:39:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1784021944; x=1784626744; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to:content-type; bh=GXSPexmHoqrmcExG3G7G81Rt80PKXXj/iAwlL6QDuik=; b=AF5yRpBGqDBrzxAT9CjKUakKG+Eh2RSmNJ8VFYIEieukDMkba+wFndrghQaz1J1Ha9 jx7g+PCrOcXZNZ8DbwZrjmwAdRc/ap5+/3N+0FBBBu/aXPwpqyCJCFh9s/Ej+k7od10+ nvZuUDQgcPxEckpLifjOMB4TwUToPtnm8DmBR3yO0Aex+bseVl2Z6lYJu9DPhdRBTsUV cW8NrAUe0U6oaPsnXnJo/2+uowmk05Lx1OQEMy7QeyiWixOhLh1pCNGxcy9vEQ+MNd8U O8dm4+o24zOsGwolthA5EJpV20vmNFPaesCq55nrKRTBaJwLqbnAINri6p51BYxuk/PU 2FfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1784021944; x=1784626744; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to:content-type; bh=GXSPexmHoqrmcExG3G7G81Rt80PKXXj/iAwlL6QDuik=; b=HsEsoO53ez7/g/8Isz7bsheBPMYXHrPf9yfIu4QsD0HyfxooOZWoZMtNQ/IvojjK+x JhkGzoLj5H7P0uDLcusJcjBzJKAjpujeIx2cml9Mas1A3444xXTm9+UOLC2rRGWPfsVm gR6FXyE0yUMswmPuGis+G8PEK5AIqUHMraC9l6GdB/IUzpvLwQb5ea+mqG1RLFM+35u3 js/qJfCiPh02MR1FkDWPK1IczGlY4LGtEHyrlDViFXG0LneJDpuNOVkqo8FDT9jmudOp KV7uaHaNNT1rqvvbiho8V75cqmsPDKhTEgQJk83mOc76tpvM44DWsVlQMwfH0a/SS5pU GO4Q== X-Forwarded-Encrypted: i=1; AHgh+RpGv4AiSq+dJ+trmGFyh6r+0/N5XmHM/vebnm5LNIGzu4ibsJ6/BSm1RNuQbDMOsG8+Zghz/yGYlU+Fxfg=@vger.kernel.org X-Gm-Message-State: AOJu0Yw+Q1VhU+yYGh0i3odbQNr9UBgPmY2P8+TrCPNq2bYInkJUr0o5 e2Ul5RoSCGfd7qNex1nx0Ywi0s4FnGgLAOMb8v2aJR8Xl9lUwdp9nyfN X-Gm-Gg: AfdE7cmtlvQ2YuJ33eLGvTO8mJsY0VtBThKN70DrOtYMUE+O/3T0uHuXPf9dYNxmu8d 3/ejoF1NZJZefKUrZuoKUHEV5dW8svmKMKr3XMdOmYTC9UY9RciU5kvPM0SL0rMclJ94HCVWoMp yC7Lpx22cpKCfPUtS7TOnxVU3OmsJTSP5uVGdYFWAI97dDxELV8JzMi5KUwfOmhsEE+s0KE7gfh D6JKZpGgRhVhbj0LAwAzxKIctyJQXRgqZre8vjxm7vWw9WgfBp0vlu6de1IDG9vMWDI+vRukBL2 /7kla+DaeWrzTD5UJiCb6cOYupk/rYrET1LOqYqMPJfFL3pULKtwpfeKz9sLVzDfdmketCmSUve VgqtcMljeBAkvJ9a1MH+QfGqQq36prg6zh2MwZcjP+An+FWrt7VfA+4Bd0SaoSaYKWqdFhr7yi+ T0yfRRuAeQvALJPfjQBRyOCbJdaNfhW9byTRleKzRAEYYgP0XiPOB8bbnYvVKHz01W5os1O5ah X-Received: by 2002:ac8:5a45:0:b0:51b:fb4f:afdc with SMTP id d75a77b69052e-51e42364132mr10365921cf.11.1784021943874; Tue, 14 Jul 2026 02:39:03 -0700 (PDT) Received: from localhost.localdomain ([202.8.105.115]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-51caacf2a75sm111460511cf.13.2026.07.14.02.38.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Jul 2026 02:39:03 -0700 (PDT) From: Sun Jian To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Eduard Zingerman , Emil Tsalapatis , Jiri Olsa , John Fastabend , Kumar Kartikeya Dwivedi , Martin KaFai Lau , Shuah Khan , Song Liu , Yonghong Song , Shung-Hsi Yu , Matt Mullins , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Sun Jian Subject: [PATCH bpf v5 0/2] bpf: Reject negative const offsets for buffer pointers Date: Tue, 14 Jul 2026 02:38:44 -0700 Message-ID: <20260714093846.18159-1-sun.jian.kdev@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Reject negative effective offsets for PTR_TO_TP_BUFFER and PTR_TO_BUF accesses. Calculate the effective access start using signed arithmetic to prevent unsigned access-end accounting from wrapping, and cover both load-time rejection and the raw tracepoint writable attach-time path. --- Changes in v5: - Simplify __check_buffer_access() to reject a negative effective start after confirming that var_off is constant. Validate the combined offset instead of rejecting negative instruction offsets separately. Drop the duplicate BPF_MAX_VAR_OFF check because pointer arithmetic already bounds constant offsets, and remove the redundant size < 0 check. - Switch the raw tracepoint writable attach tests from nbd_send_request to bpf_testmod_test_writable_bare_tp, avoiding the NBD configuration dependency and its false-pass condition. - Split the attach coverage into named subtests and require bpf_raw_tracepoint_open() to return -EINVAL. - Add verifier coverage for a negative constant PTR_TO_BUF offset. Changes in v4: - Correct the Fixes tag to point to 022ac0750883, where pointer offsets were folded into reg->var_off. - Drop the end > U32_MAX check, which is unreachable after bounding const var_off with BPF_MAX_VAR_OFF while keeping instruction offsets and access sizes bounded. Changes in v3: - Check constant var_off against +/-BPF_MAX_VAR_OFF before computing the effective access range, matching the existing verifier pointer offset convention. - Keep explicit rejection of negative instruction offsets and keep bounded negative constant var_off valid when the effective offset is non-negative. Changes in v2: - Split the kernel fix and selftests into separate patches. - Add an attach-time raw tracepoint writable test that exercises max_tp_access against nbd_send_request's writable size. - Adjust selftest formatting to use the 100 character line width. Tested: - ./test_progs -v -t verifier_raw_tp_writable - ./test_progs -v -t verifier_ptr_to_buf - ./test_progs -v -t raw_tp_writable_reject_bad_access - ./test_progs -v -t raw_tp_writable_test_run v4: https://lore.kernel.org/bpf/20260708090151.151729-1-sun.jian.kdev@gmail.com/ v3: https://lore.kernel.org/bpf/20260708040715.116680-1-sun.jian.kdev@gmail.com/ v2: https://lore.kernel.org/bpf/20260707060804.93561-1-sun.jian.kdev@gmail.com/ v1: https://lore.kernel.org/bpf/20260703035137.109608-1-sun.jian.kdev@gmail.com/ Sun Jian (2): bpf: Reject negative const offsets for buffer pointers selftests/bpf: Cover negative buffer pointer offsets kernel/bpf/verifier.c | 31 ++++++---- .../raw_tp_writable_reject_bad_access.c | 57 +++++++++++++++++++ .../raw_tp_writable_reject_nbd_invalid.c | 43 -------------- .../selftests/bpf/prog_tests/verifier.c | 2 + .../selftests/bpf/progs/verifier_ptr_to_buf.c | 27 +++++++++ .../bpf/progs/verifier_raw_tp_writable.c | 16 ++++++ 6 files changed, 121 insertions(+), 55 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_bad_access.c delete mode 100644 tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_nbd_invalid.c create mode 100644 tools/testing/selftests/bpf/progs/verifier_ptr_to_buf.c base-commit: 7cbd0c4cebe4c9f678d15e6b9ba975e1155a107f -- 2.43.0