Skip to content

bpf: Reject narrower access to pointer ctx fields #9336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: bpf-next_base
Choose a base branch
from
Open

bpf: Reject narrower access to pointer ctx fields #9336

wants to merge 2 commits into from
+39 −14

Conversation

kernel-patches-daemon-bpf[bot]
Copy link

Pull request for series with
subject: bpf: Reject narrower access to pointer ctx fields
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=984328

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 42be23e
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=984328
version: 1

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 42be23e
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=984328
version: 1

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 95993dc
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=984328
version: 1

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 95993dc
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=984748
version: 2

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 95993dc
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=984748
version: 2

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 95993dc
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=984748
version: 2

pchaigno added 2 commits July 22, 2025 14:46
@pchaigno
bpf: Reject narrower access to pointer ctx fields
acb0fab 
The following BPF program, simplified from a syzkaller repro, causes a
kernel warning:

    r0 = *(u8 *)(r1 + 169);
    exit;

With pointer field sk being at offset 168 in __sk_buff. This access is
detected as a narrower read in bpf_skb_is_valid_access because it
doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
and later proceeds to bpf_convert_ctx_access. At that point,
target_size is null and the verifier errors with a kernel warning and:

    verifier bug: error during ctx access conversion(1)

This patch fixes that to return a proper "invalid bpf_context access
off=X size=Y" error on the load instruction.

The same issue affects multiple other fields in context structures that
allow narrow access. Some other non-affected fields (for sk_msg,
sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
consistency.

Note this syzkaller crash was reported in [1], which used to be about a
different bug, fixed in commit fce7bd8 ("bpf/verifier: Handle
BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow
confused the two bugs, the new crash and repro didn't get reported to
the mailing list.

Link: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec [1]
Fixes: f96da09 ("bpf: simplify narrower ctx access")
Fixes: 0df1a55 ("bpf: Warn on internal verifier errors")
Reported-by: syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
@pchaigno
selftests/bpf: Test invalid narrower ctx load
6364d8c 
This patch adds selftests to cover invalid narrower loads on the
context. These used to cause kernel warnings before the previous patch.
To trigger the warning, the load had to be aligned, to read an affected
context field (ex., skb->sk), and not starting at the beginning of the
field.

The nine new cases all fail without the previous patch.

Suggested-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bpf-next new V2-ci-pass V2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pchaigno