From nobody Mon Jun 8 08:35:57 2026 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 79505272E56 for ; Sun, 31 May 2026 00:48:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780188510; cv=none; b=DxBr/HN2bIy/Pmvx+t5DY8UTpJ4rz3bJ8XC1vdChDTTEnJWdq0RNYG/yq5E82GfisRLKL3AYnJZTBPDn0NSH2R16plxfnpUSOgIWssqWeJZxZXzC/+u6/c/YFxdV6uvgr9ZLn5tyLzmck6eDDhHmSSDUtuA5CULq3aInq9a/5QE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780188510; c=relaxed/simple; bh=rZKT3WfpcAM0Di6SKFP/V+72/2OaBqpDTNVwYt9MKvI=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=DSDXc+LjLFVXDEjlkmnLOeSlcDLIo2msU+MtJuTAu4+hS8JCwi5sOeDnOvhCCtV9kNPOu4+e/HSCuvZ7UEQp1nFezjEyFlwPcD6WZIqVFrIo57yYWSbbcWhI/Ltu2SLYlJwF0Sac4of0ytfUs3iiEAVzOoQVaIv7Dx+QQGjClKs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yuyanghuang.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=r0QAk2mx; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yuyanghuang.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="r0QAk2mx" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-36d98b76d12so102580a91.2 for ; Sat, 30 May 2026 17:48:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780188507; x=1780793307; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=SVPwV2ysloi40QFLeoMaNeuGhaFgrYtYqToJPyLkcEI=; b=r0QAk2mx9/Sxq+H6IGtRcEuNP+OVGwdB7/KXJboVtSOSpzxvlRnBB54zxc4CoHwEkA PmrRelVBPO45yBiWgZmcf08u15xDkVwtyZ5yxWzsmG7BkwwzGIbf0pb7mefGhRdQIJcN 5ityawrBnzkeHVBE67InH9d3oEswj0UEniDYlgLt7Vnoafdt9f96sDh6k69G+PUPxx4A Be70SxLs7V7Jx3Pzf6klX4CE9m98XLtl/2VcLBXMULo+kBg9xcSy72dhbhUDLrehuM0a PeAguxBkDlxqlIk2N8vms1N33WzpSiDFO8eLUPs/hZSr2qCdfcC8bZjbEqGa5un5q6jD 4SuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780188507; x=1780793307; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=SVPwV2ysloi40QFLeoMaNeuGhaFgrYtYqToJPyLkcEI=; b=pCvNXlehFtAx+5XOMs8VT29in8PfoOJErr/1NADQRn3EWMwDBkwGCCCLy0TLl1WxmK xQHZiXVBrLWSLz0uqho6NbwweeljAOJh9YQMKDsOUM4sX9bRbqXMafpyQqhSAuxHnQJ+ MnIDSHayh6nu7VmAWlgErZE9VdWDVJ9aHTTuRKDY3npZwPKFMlkK6u9KuKTjEGF2jCRO JN0t785SnUI//CU6MJRxC8blKqecRverp1lipvx2dHvtntRCOPyHIzYvJ2EDBrnj62kY q/Dj6j79d5BnN32SwIWd5unORhBQeUTgJopnU3pa1JMmr5kyOfn5voYk+wM30EyBzSRU zvdA== X-Forwarded-Encrypted: i=1; AFNElJ8TGSA38IXf7kGhsc/+TFtv27SvVwW4KZk88KWuDRo8n2qCpaYpjVO15aDlH0H3taMegqXsm/r8SH2aQII=@vger.kernel.org X-Gm-Message-State: AOJu0YyJgkJxbagnkfQBCxDMFFi7ByXdyGierTxp6tjM8GrRMYAM/bii RyEJYkbWfXMpuXQGPC1baVwgVsO2hyS/+2hl3GD9H/RngxfZHRJ6pMyL76oInIWWiC5m9nSXzv5 CR+rq/YB61+rcg9t073l7U8+9Ww== X-Received: from pgvc19.prod.google.com ([2002:a65:6193:0:b0:c85:9c9a:ab5c]) (user=yuyanghuang job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:3e8a:b0:36d:64c1:8b5f with SMTP id 98e67ed59e1d1-36d64c18c3bmr3679839a91.27.1780188506522; Sat, 30 May 2026 17:48:26 -0700 (PDT) Date: Sun, 31 May 2026 08:47:47 +0800 In-Reply-To: <20260531004748.3567875-1-yuyanghuang@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260531004748.3567875-1-yuyanghuang@google.com> X-Mailer: git-send-email 2.54.0.823.g6e5bcc1fc9-goog Message-ID: <20260531004748.3567875-2-yuyanghuang@google.com> Subject: [PATCH bpf-next v2 1/2] bpf: reject BPF_PROG_QUERY with short uattr size From: Yuyang Huang To: Yuyang Huang Cc: Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Eduard Zingerman , Jiri Olsa , John Fastabend , Kumar Kartikeya Dwivedi , Martin KaFai Lau , Shuah Khan , Song Liu , Yonghong Song , Leon Hwang , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, "=?UTF-8?q?Maciej=20=C5=BBenczykowski?=" , Lorenzo Colitti Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BPF_PROG_QUERY writes back the 'query.revision' field unconditionally to userspace. If userspace passes a smaller 'bpf_attr' structure (e.g. 40 bytes, which was the layout before the addition of 'query.revision'), the kernel performs an out-of-bounds write. Fix this by returning -EFAULT in bpf_prog_query() if the user-provided attribute size is smaller than the offset of the 'query.revision' field. Fixes: 120933984460 ("bpf: Implement mprog API on top of existing cgroup pr= ogs") Cc: Maciej =C5=BBenczykowski Cc: Lorenzo Colitti Signed-off-by: Yuyang Huang --- kernel/bpf/syscall.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index a3c0214ca934..c9a5415ad437 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -4654,8 +4654,10 @@ static int bpf_prog_detach(const union bpf_attr *att= r) #define BPF_PROG_QUERY_LAST_FIELD query.revision =20 static int bpf_prog_query(const union bpf_attr *attr, - union bpf_attr __user *uattr) + union bpf_attr __user *uattr, u32 uattr_size) { + if (uattr_size < offsetofend(union bpf_attr, query.revision)) + return -EFAULT; if (!bpf_net_capable()) return -EPERM; if (CHECK_ATTR(BPF_PROG_QUERY)) @@ -6260,7 +6262,7 @@ static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr= , unsigned int size) err =3D bpf_prog_detach(&attr); break; case BPF_PROG_QUERY: - err =3D bpf_prog_query(&attr, uattr.user); + err =3D bpf_prog_query(&attr, uattr.user, size); break; case BPF_PROG_TEST_RUN: err =3D bpf_prog_test_run(&attr, uattr.user); --=20 2.54.0.823.g6e5bcc1fc9-goog From nobody Mon Jun 8 08:35:57 2026 Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91FC125B0AE for ; Sun, 31 May 2026 00:48:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780188511; cv=none; b=HiesmJhErv2NBx1vPz7jZCO4mswTLPwNyvpu+GIPTJq+nBWM1REv7vIGOLFhIc1aslruVVXOTfNb6LiA9Rq/5Slw2fU/ak34AQglMu5zUw6Uk46ccw1m+VcEFSqdVoEQ7b5lAdA5oKNJ91cWK6eRZyz05e+sM4M0PB61urY0rrU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780188511; c=relaxed/simple; bh=nf7H52BiE00pfcsnE0so3Yy+4Kqlaf5sOzNGyBYj+pk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=pu1tbOh6pUa8jqE1WBxSBadtHj1CZ8skl8nJbbVs76STPU3sOtmbzXG68w2t3rS/0wvZKUJdRPJp5PWFwpbyla6MHlf67hhL7pXxwS4QzMNxq8uX7ok5icnE+M05NCE+9JAOZDV0c3Tq/HganexnrRZyniZDAkWZssBP/6guCpo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--yuyanghuang.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=RuUCsCgj; arc=none smtp.client-ip=209.85.210.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--yuyanghuang.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="RuUCsCgj" Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-83f7e7f7457so9760676b3a.1 for ; Sat, 30 May 2026 17:48:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780188510; x=1780793310; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=ZwO/OlrIC4X5IlWqO2MUG4z3bwcShqiYLdiaVgWhfIU=; b=RuUCsCgjZI2MaJzgYolIOa2oKIy5birycm8UCXcV80iIx1DNiW3T4ZRV5ogAefFMhx tNOd/qgTap9viC0WTBoVZtT8tGYX2Wz1q5aFL+biDB4qEWbROi4vOUX8a9XU02P6nNhU SV1NKP5UeP1Pv9OpIPm5eekS+2R2rPVGjvEakB1h5zACwUI0V49AhhyGyosi7EAoO+Br mGjMvuQaQPmVo71z+okS8qMBv/+f0ePBNYmhlgooM2MibG4Jp0uPpiJ3nemDfytIo6hc 3TAQCZjghjp4pNhdv9aCCz19ykrh2Tf2kzRdP7mgIvIZqtgWyZDRTGnH6X4mENhymD2O ZE2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780188510; x=1780793310; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=ZwO/OlrIC4X5IlWqO2MUG4z3bwcShqiYLdiaVgWhfIU=; b=DezuR68gFFOVTNyUwi50An1ShRGHFe6NB5GfaDcST5CYoExOOEJyJdKTJYy1QXgQoX aImtNlIvis72R60xGir3bn/54VPOEiGdTDha5iBaZbzkpGFtU3KXsBV5k4cleX3JPKE5 FLGskxJhRq07xxrmdO16EwQTiGARMo/T5yYi6nwX/2S3u7n9sVzdh2n9MMf3niOF8EGD GFNJ4HUlQ3eGZ3Ilce3yeDyfpu5fLHd6jesDWqFKcYSxUUWaeSQIc731S4gHwTayd/N0 AV+zDS0qy9uI9UBsfoi9hZ+aQc9e6FXV5Tuvl1PIFsynzQmfN30zJy2iBcBwHX7mXxXn AKLw== X-Forwarded-Encrypted: i=1; AFNElJ9AgIkYmafRKOWXHvt0XbhOg5Gn+OikyJbAtPqTTFBfH6OS3FzsVu3soux4nzwi4vnHYWLBg6zQJSEbHHk=@vger.kernel.org X-Gm-Message-State: AOJu0YypFSp8JlDqqKVlHaJ1EVcX9qGwMA6WY3DdfQzBTX7Aui1GSRjn W5ZUJQcuxbbI7I3jyHdACFAgNloS01K6yPVA2g0kAGPyq8/NyFFz8ChsC76Jq6fBIyPN0Mg7r33 5Ztl31Q8e9SaDhxU3YO3ObK1aYg== X-Received: from pfbgr7.prod.google.com ([2002:a05:6a00:4d07:b0:83f:2ce7:48ce]) (user=yuyanghuang job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:3988:b0:835:3861:812c with SMTP id d2e1a72fcca58-84210c545c2mr7093486b3a.23.1780188509512; Sat, 30 May 2026 17:48:29 -0700 (PDT) Date: Sun, 31 May 2026 08:47:48 +0800 In-Reply-To: <20260531004748.3567875-1-yuyanghuang@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260531004748.3567875-1-yuyanghuang@google.com> X-Mailer: git-send-email 2.54.0.823.g6e5bcc1fc9-goog Message-ID: <20260531004748.3567875-3-yuyanghuang@google.com> Subject: [PATCH bpf-next v2 2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries From: Yuyang Huang To: Yuyang Huang Cc: Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Eduard Zingerman , Jiri Olsa , John Fastabend , Kumar Kartikeya Dwivedi , Martin KaFai Lau , Shuah Khan , Song Liu , Yonghong Song , Leon Hwang , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, "=?UTF-8?q?Maciej=20=C5=BBenczykowski?=" , Lorenzo Colitti Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a new selftest to verify that the BPF syscall (specifically BPF_PROG_QUERY) correctly rejects queries with a user-declared size below the mandatory minimum (which now covers query.revision) with -EFAULT, and succeeds when given the full size. Cc: Maciej =C5=BBenczykowski Cc: Lorenzo Colitti Signed-off-by: Yuyang Huang --- .../selftests/bpf/prog_tests/bpf_attr_size.c | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c b/tools= /testing/selftests/bpf/prog_tests/bpf_attr_size.c new file mode 100644 index 000000000000..4fbe56cb29d4 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c @@ -0,0 +1,65 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2026 Google LLC */ +#include +#include +#include +#include +#include +#include "cgroup_skb_direct_packet_access.skel.h" + +#define OLD_QUERY_SIZE offsetofend(union bpf_attr, query.prog_cnt) +#define FULL_QUERY_SIZE offsetofend(union bpf_attr, query.revision) + +static void test_query_size_boundaries(void) +{ + struct cgroup_skb_direct_packet_access *skel; + struct bpf_link *link =3D NULL; + union bpf_attr attr; + int cg_fd =3D -1; + int err; + + skel =3D cgroup_skb_direct_packet_access__open_and_load(); + if (!ASSERT_OK_PTR(skel, "skel_load")) + return; + + cg_fd =3D test__join_cgroup("/attr_size_cg"); + if (!ASSERT_GE(cg_fd, 0, "join_cgroup")) + goto cleanup; + + link =3D bpf_program__attach_cgroup(skel->progs.direct_packet_access, + cg_fd); + if (!ASSERT_OK_PTR(link, "cg_attach")) + goto cleanup; + + memset(&attr, 0, sizeof(attr)); + attr.query.target_fd =3D cg_fd; + attr.query.attach_type =3D BPF_CGROUP_INET_INGRESS; + + err =3D syscall(__NR_bpf, BPF_PROG_QUERY, &attr, OLD_QUERY_SIZE); + ASSERT_EQ(err, -1, "query_old_size_fails"); + ASSERT_EQ(errno, EFAULT, "query_old_size_efault"); + + memset(&attr, 0, sizeof(attr)); + attr.query.target_fd =3D cg_fd; + attr.query.attach_type =3D BPF_CGROUP_INET_INGRESS; + + err =3D syscall(__NR_bpf, BPF_PROG_QUERY, &attr, FULL_QUERY_SIZE); + if (!ASSERT_OK(err, "query_full_size")) + goto cleanup; + + ASSERT_EQ(attr.query.prog_cnt, 1, "prog_cnt_written"); + ASSERT_GT(attr.query.revision, 0, "revision_written"); + +cleanup: + if (link) + bpf_link__destroy(link); + if (cg_fd >=3D 0) + close(cg_fd); + cgroup_skb_direct_packet_access__destroy(skel); +} + +void test_bpf_attr_size(void) +{ + if (test__start_subtest("query_size_boundaries")) + test_query_size_boundaries(); +} --=20 2.54.0.823.g6e5bcc1fc9-goog