The bpf(cmd, attr, size) syscall copies up to 'size' bytes on input, but
several commands write outputs back to userspace unconditionally. If the
caller passes a short buffer, this can lead to out-of-bounds writes,
potentially overwriting adjacent userspace memory.
This series addresses this by introducing size-gating based on field type:
1) Mandatory fields (original ABI): Return -EINVAL in __sys_bpf() if the
user-provided buffer size is smaller than the minimum size required to
cover these fields. This hardens the syscall entry point for several
commands.
2) Optional fields (later revisions): Skip writeback if the user-provided
buffer size is too small to cover them. This is applied to
'query.revision' in BPF_PROG_QUERY.
The first patch implements the plumbing and enforcement in the kernel.
The second patch adds a selftest to verify the behavior.
Yuyang Huang (2):
bpf: align syscall writeback behavior with caller-declared size
selftests/bpf: Add verification for BPF_PROG_QUERY attr size
boundaries
drivers/net/netkit.c | 5 +-
include/linux/bpf-cgroup.h | 5 +-
include/linux/bpf_mprog.h | 4 +-
include/net/netkit.h | 6 +-
include/net/tcx.h | 5 +-
kernel/bpf/cgroup.c | 13 +--
kernel/bpf/mprog.c | 5 +-
kernel/bpf/syscall.c | 34 ++++++--
kernel/bpf/tcx.c | 5 +-
.../selftests/bpf/prog_tests/bpf_attr_size.c | 84 +++++++++++++++++++
10 files changed, 141 insertions(+), 25 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c
--
2.54.0.563.g4f69b47b94-goog
