Re: [PATCH bpf-next 1/2] bpf: align syscall writeback behavior with caller-declared size

Fri, 15 May 2026 01:16:17 -0700 

>     bpf: align syscall writeback behavior with caller-declared size
>
>     The bpf(cmd, attr, size) syscall copies up to 'size' bytes on input, but
>     several commands write outputs back to userspace unconditionally. Because
>     copy_to_user() does not fault on adjacent mapped memory, a short userspace
>     buffer results in out-of-bounds writes, potentially overwriting adjacent
>     userspace memory.
>
>     Address this by introducing two policies based on field type:
>
>     1) Mandatory fields (original ABI): Return -EINVAL in __sys_bpf() if the
>        buffer size does not cover them. This hardens the syscall front-gate
>        for the following commands:
>        - BPF_PROG_QUERY (min size: query.prog_cnt)
>        - BPF_PROG_TEST_RUN (min size: test.duration)
>        - BPF_*_GET_NEXT_ID (min size: next_id)
>        - BPF_OBJ_GET_INFO_BY_FD (min size: info.info_len)
>        - BPF_TASK_FD_QUERY (minimum size: task_fd_query.probe_addr)
>        - BPF_MAP_*_BATCH (min size: batch.flags)
>
>     2) Optional fields (later revisions): Skip writeback if the buffer size
>        does not cover the field. This is applied to BPF_PROG_QUERY's
>        'query.revision'. Older userspace passing a smaller size (e.g., 40
>        bytes) will have the write safely skipped. This size-gating pattern
>        mirrors the existing precedent used for 'log_true_size' (verifier.c)
>        and 'btf_log_true_size' (btf.c).
>
>     To support this, the user-declared 'size' is plumbed from __sys_bpf()
>     through the query dispatchers (cgroup, tcx, netkit) to the underlying
>     writeback helpers in cgroup.c and mprog.c.
>
>     Cc: Maciej Żenczykowski <[email protected]>
>     Cc: Lorenzo Colitti <[email protected]>
>     Signed-off-by: Yuyang Huang <[email protected]>
>     Link: 
> https://lore.kernel.org/r/CANP3RGfZTXM_u=e_atoompzxutoqj02nomkccr-ybzbom2s...@mail.gmail.com

This looks like a bug fix for an out-of-bounds write vulnerability.
Should this include a Fixes: tag to identify which commit introduced the
unconditional copy_to_user() calls for query.revision without checking
the user-provided buffer size?

  Fixes: 3fe213c040b3 ("adding ci files")


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/25905928331

Reply via email to