From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B4C4829B799 for ; Wed, 8 Jul 2026 13:13:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783516419; cv=none; b=fCF5//jXj5heH7IFGod1KbIsSqC4dho7d9ctTqQ1YYLo4wVQuvO4wS2nXnofEiJPqv+mjoY/zLMkwiUE6gqZpD1Y5Xk8KJw1EghuHzYJjJQDELaY+MPBnlghZiKm8PBTsVrvlIfaoIlUF9hrrpBC+HxZV+uxD7uNV68fpteKTQs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783516419; c=relaxed/simple; bh=JmX7s0EIPqd9t8N5KHt8I/muMfShONzCYy2F/a/pPug=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=XcqwlLwLq/5TMs79MREzy/V0efIDsAO1pzOZaRNhdWjEirN4vvs428d1VchAan/WUPrPDXKagu5v1a2TbQw/6izO45PZg4Sk9SJYHoXcnpdNe61EzuWL5kC/kRj8DKKGARheiXzhxkdi++572TW66Wi6VDw0SQPBzk8brmgFUBY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b=RGTseQPc; arc=none smtp.client-ip=209.85.128.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="RGTseQPc" Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-493b27c7451so20567485e9.0 for ; Wed, 08 Jul 2026 06:13:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1783516415; x=1784121215; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=N1JyDujhG3Sgv6jNuFackk7ytJpNfqoiBKPjDFE83CQ=; b=RGTseQPcZtZCy+GKu8slT+uU23KKVJi0Hg6QKpofzMUFoqzr4nv/1+x3VgIee0StBM rsgFTb/h6nbReydwTcouZ0k5aHSVBN3mq7fYTft6TCkcuTr4Tc3kLt7ayVjOSF+TcOXy 4EId9V14dif9/4WkwECtqq2L3+sWBN9ie+giCOcsMSPk+La6iwfuaP51+kxYYmvB1L8Z /XyXkQZU2/2YQqeZR7XEX2caF51nFeSz2cNNq2q6ECsv2IsQ4Pcskh11oW/rFrJd9uv6 WESFMca7xn+71R9nAut/6oWrrevN3zdFE8+rF57s7YZpw8ofQHDJKiwIVpn0r0Vga5+N EgzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783516415; x=1784121215; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=N1JyDujhG3Sgv6jNuFackk7ytJpNfqoiBKPjDFE83CQ=; b=NiUvlDjLT+TxWYNWg8YKCEYAN77Nk/75JTwaRXnUgsM0/OM1RhgM7OJa1vOAa7iN+r aKmZPhcsGU1Ft4LlOAqaOJOs5KbTxMmRRP9h60ZrY/kBipayAjXWcTlwq5miloF3vqfe 78AFQ7n552WqPMFMROEWP4gzLPLFSXv+4zksrcvyrDpNsF03+PpYzdnuyX65HRtoFA0W uh1Hp5RZpkzmlMrgkPUkAhnIbfIa7tcHtxRvFATTxddysWAyRxbATxR9uCfc1u75n6ft YyLJbaaVFJiNAUk6xjoTpd75dtmCl3DbbrmKIDlr2ppt6UIPTC4pPFy6PAUFgP74NpFF cOQg== X-Forwarded-Encrypted: i=1; AHgh+Rp3aaGVCxd64Dz6X3Zf0GYMJfvJZ4IToCa/3RfxjTWbiHbKJJD/EXO10yY6DNxfeWeZ+8YrjjjiKvwYRs4=@vger.kernel.org X-Gm-Message-State: AOJu0Yx94ESe0sd7sC74f9o1NuE3Q3N+8cHK3H5mFJNuq+p0mJVeKRJI mQOVWEkMCSTfXgOkT9wPsKVjSD+Zw98z8CiXsoxaAj+FX7/Qz4teYIH3s+AHOWjcsks= X-Gm-Gg: AfdE7clSyqU9dqjWIDVKHTxKL+fSn2NbiH4sEHADxSczzdOi4JTvvzHAqX782NMTy+V d9jmxHom5QvYm1WL+H+4dqyc+ROUSUE1qtmpvaSpL3AuPNbeaeSSHwVAxWGy3OBbKqefkap9XkO P7tyQTZ0VM6OhUIHfpRH1XvLk7FB44Aw3wc7fH7EpWU5rdJWgLFt808t+3EgN4Rzfa3TqHEGMhg InSYhAG1wjt/RNmnbO7lfBsmz1S/q92au6PK9KdealkPMeWpFGtDqxwzV39ZsSo4rfrKiFVv3sC zakffkaF6dxQzWxnkL1AmapOseYwdOCBVBwrPcOjJPAH9mCIqSmZXDBMu5GXrt1QRnV0nPmTTdC RXXxYu/xYaWAeGo4MMSCit5UkVyNZIuQxu0Q5d91I0pdigToEZNej8k2rQqHOYXO4qf0UXaHg1H N8GbVsMk7NlroFm8BeR9BTQrbNBQxBRNDEmht91Jo= X-Received: by 2002:a05:600c:49a7:b0:493:b240:6a8b with SMTP id 5b1f17b1804b1-493e10358a8mr44551725e9.14.1783516414979; Wed, 08 Jul 2026 06:13:34 -0700 (PDT) Received: from u94a (61-227-80-86.dynamic-ip.hinet.net. [61.227.80.86]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-ca5b3a2bf6bsm2461568a12.27.2026.07.08.06.13.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jul 2026 06:13:33 -0700 (PDT) Date: Wed, 8 Jul 2026 21:13:18 +0800 From: Shung-Hsi Yu To: Sun Jian Cc: bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com, andrii@kernel.org, eddyz87@gmail.com, memxor@gmail.com, martin.lau@linux.dev, song@kernel.org, yonghong.song@linux.dev, jolsa@kernel.org, emil@etsalapatis.com, shuah@kernel.org, mmullins@fb.com, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH bpf v4 1/2] bpf: Reject negative const offsets for buffer pointers Message-ID: References: <20260708090151.151729-1-sun.jian.kdev@gmail.com> <20260708090151.151729-2-sun.jian.kdev@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260708090151.151729-2-sun.jian.kdev@gmail.com> On Wed, Jul 08, 2026 at 02:01:50AM -0700, Sun Jian wrote: [...] > Fixes: 022ac0750883 ("bpf: use reg->var_off instead of reg->off for pointers") Agree that above is the commit that introduced the issue. More comments below. [...] > @@ -5326,14 +5326,18 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) > static int __check_buffer_access(struct bpf_verifier_env *env, > const char *buf_info, > const struct bpf_reg_state *reg, > - argno_t argno, int off, int size) > + argno_t argno, int off, int size, > + u32 *access_end) > { > + s64 start, var_off; > + > if (off < 0) { > verbose(env, > "%s invalid %s buffer access: off=%d, size=%d\n", > reg_arg_name(env, argno), buf_info, off, size); > return -EACCES; > } > + > if (!tnum_is_const(reg->var_off)) { > char tn_buf[48]; > > @@ -5344,6 +5348,29 @@ static int __check_buffer_access(struct bpf_verifier_env *env, > return -EACCES; > } > > + var_off = (s64)reg->var_off.value; > + if (var_off >= BPF_MAX_VAR_OFF || var_off <= -BPF_MAX_VAR_OFF) { > + verbose(env, "%s %s buffer offset %lld is not allowed\n", > + reg_arg_name(env, argno), buf_info, var_off); > + return -EACCES; > + } > + > + start = var_off + off; > + if (start < 0) { > + verbose(env, > + "%s invalid negative %s buffer offset: off=%d, var_off=%lld\n", > + reg_arg_name(env, argno), buf_info, off, var_off); > + return -EACCES; > + } I was thinking of suggest to just do a single unsigned check var_off = reg->var_off.value; if (var_off >= BPF_MAX_VAR_OFF) { ... But looking at the code before 022ac0750883, what you have is closer aligned to the previous behavior, let's stick to this. > + > + if (size < 0) { > + verbose(env, "%s invalid %s buffer access: off=%lld, size=%d\n", > + reg_arg_name(env, argno), buf_info, start, size); > + return -EACCES; > + } `size` comes from bpf_size_to_bytes(bpf_size) in check_mem_access(), and is already checked to be not negative; plus other check_* helpers does not check for this, so I think it can be dropped. Otherwise, LGTM: Acked-by: Shung-Hsi Yu > + > + *access_end = (u32)start + (u32)size; If you want, this could use a quick one-line comments regarding the fact that it won't overflow, or even verifier_bug_if(). > + > return 0; > } > [...]