1. Patchew
  2. linux
  3. View series

[PATCH bpf v2] bpf: Fix off-by-one boundary validation in arena direct-value access

Junyoung Jang posted 1 patch 1 month, 3 weeks ago 
kernel/bpf/arena.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH bpf v2] bpf: Fix off-by-one boundary validation in arena direct-value access
Posted by Junyoung Jang 1 month, 3 weeks ago 
BPF_MAP_TYPE_ARENA accepts BPF_PSEUDO_MAP_VALUE offsets at exactly
the end of the arena mapping (off == arena_size). The boundary check
in arena_map_direct_value_addr() uses `>` instead of `>=`, which
incorrectly allows a one-past-end pointer to be accepted.

Change the condition to `>=` to correctly reject offsets that fall
outside the valid arena user_vm range.

Fixes: 317460317a02 ("bpf: Introduce bpf_arena.")
Signed-off-by: Junyoung Jang <graypanda.inzag@gmail.com>
---
 kernel/bpf/arena.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
index 802656c6fd3c..49a8f7b1beef 100644
--- a/kernel/bpf/arena.c
+++ b/kernel/bpf/arena.c
@@ -511,7 +511,7 @@ static int arena_map_direct_value_addr(const struct bpf_map *map, u64 *imm, u32
 {
 	struct bpf_arena *arena = container_of(map, struct bpf_arena, map);
 
-	if ((u64)off > arena->user_vm_end - arena->user_vm_start)
+	if ((u64)off >= arena->user_vm_end - arena->user_vm_start)
 		return -ERANGE;
 	*imm = (unsigned long)arena->user_vm_start;
 	return 0;
-- 
2.43.0
Re: [PATCH bpf v2] bpf: Fix off-by-one boundary validation in arena direct-value access
Posted by Emil Tsalapatis 1 month, 3 weeks ago 
On Sun Apr 26, 2026 at 1:25 PM EDT, Junyoung Jang wrote:
> BPF_MAP_TYPE_ARENA accepts BPF_PSEUDO_MAP_VALUE offsets at exactly
> the end of the arena mapping (off == arena_size). The boundary check
> in arena_map_direct_value_addr() uses `>` instead of `>=`, which
> incorrectly allows a one-past-end pointer to be accepted.
>
> Change the condition to `>=` to correctly reject offsets that fall
> outside the valid arena user_vm range.
>
> Fixes: 317460317a02 ("bpf: Introduce bpf_arena.")
> Signed-off-by: Junyoung Jang <graypanda.inzag@gmail.com>
> ---

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

>  kernel/bpf/arena.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/arena.c b/kernel/bpf/arena.c
> index 802656c6fd3c..49a8f7b1beef 100644
> --- a/kernel/bpf/arena.c
> +++ b/kernel/bpf/arena.c
> @@ -511,7 +511,7 @@ static int arena_map_direct_value_addr(const struct bpf_map *map, u64 *imm, u32
>  {
>  	struct bpf_arena *arena = container_of(map, struct bpf_arena, map);
>  
> -	if ((u64)off > arena->user_vm_end - arena->user_vm_start)
> +	if ((u64)off >= arena->user_vm_end - arena->user_vm_start)
>  		return -ERANGE;
>  	*imm = (unsigned long)arena->user_vm_start;
>  	return 0;

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.