On Thu, May 28, 2026 at 11:37 PM Leon Hwang <[email protected]> wrote: > To avoid such stack corruption, you should reserve enough space for the > query, e.g., by extracting union bpf_attr from kernel BTF vmlinux.
That seems unreasonable. There's already a size in the bpf syscall, why can't the kernel respect that? Also, the length of bpf_attr has increased over time as the kernel adds more elements. Doesn't that mean that even if the userspace program passes a sufficient size, a future kernel could start writing more bytes and start overwriting memory? Breaking userspace on kernel upgrades should never happen.
