On Mon, Jul 13, 2026 at 01:44:18PM -0700, Eduard Zingerman wrote:
> On Mon, 2026-07-13 at 13:05 +0800, Shung-Hsi Yu wrote:
> > On Fri, Jul 10, 2026 at 06:27:41PM +0800, sun jian wrote:
> > [...]
> > > One detail about the attach-time check: I agree that some negative-offset
> > > constructions can still be rejected later if the max_tp_access accounting
> > > produces a large value. But the runtime reproducer I used exercises this
> > > specific access:
> > > 
> > >     r6 = *(u64 *)(r1 + 0)
> > >     r6 += -8
> > >     *(u64 *)(r6 + 0) = 0
> > > 
> > > Here reg->var_off.value is (u64)-8, off is 0, and size is 8. With the 
> > > current
> > > accounting,
> > >     reg->var_off.value + off + size
> > > wraps to 0. So max_tp_access records 0 and the attach-time writable_size 
> > > check
> > > does not reject it, even though the effective access starts at -8.
> > 
> > Yes, that should had been rejected.
> > 
> > > On the bpf base without the verifier fix, the temporary reproducer did 
> > > load
> > > and attach successfully:
> > >     negative_bpf_load: PASS
> > >     negative_raw_tp_open: PASS
> > >     negative_test_run: PASS
> > > and KASAN reported the stack-out-of-bounds write in ___bpf_prog_run.
> > > 
> > > So for this particular range, this looks like more than a load-time policy
> > > difference: the missing lower-bound check leaves the access executable on 
> > > the
> > > bpf tree.
> > 
> > Actually I got this reproduced in the *bpf-next* tree now. And I think I
> > know why Eduard wasn't able to reproduce the issue.
> > 
> > The main problem was that CONFIG_BLK_DEV_NBD was not enabled in the
> > default BPF selftests configuration, so nbd_send_request wasn't
> > available, and thus the attachment always fail with -2 without
> > exercising the checks that we have in bpf_probe_register().
> > 
> > With CONFIG_BLK_DEV_NBD enabled, and negative_var_off_program[] updated
> > to do use offset of 0 (instead of 28 + 8), I was able to reproduce the
> > issue on top of commit `9a3a07d06e7d` "Merge branch
> > 'bpf-fix-warning-in-bpf_trampoline_multi_detach'" with the following
> > updated version of your patch.
> > 
> >   0: R1=ctx() R10=fp0
> >   0: (79) r6 = *(u64 *)(r1 +0)          ; R1=ctx() R6=tp_buffer()
> >   1: (07) r6 += -8                      ; R6=tp_buffer(imm=-8)
> >   2: (79) r0 = *(u64 *)(r6 +0)          ; R0=scalar() R6=tp_buffer(imm=-8)
> >   3: (95) exit
> >   processed 4 insns (limit 1000000) max_states_per_insn 0 total_states 0 
> > peak_states 0 mark_read 0
> >   tp_fd: 8
> >   check_nbd_attach_reject:FAIL:nbd_invalid_negative_var_off unexpected 
> > nbd_invalid_negative_var_off: actual 8 >= expected 0
> >   #319     raw_tp_writable_reject_nbd_invalid:FAIL
> > 
> > So I would say a fixes tag that points to 022ac0750883 is still needed
> > after all.
> 
> Hi Shung-Hsi, Sun,
> 
> Shung-Hsi, thank you for figuring out the quirk with the config.
> Indeed if I modify the test to be config independent the following
> program is both accepted at load and attached:
> 
>   *r6 = *(u64 *)(r1 +0)
>   r6 += -8
>   r0 = *(u64 *)(r6 +0)
> 
> Worse yet, the mechanism affects both PTR_TO_TP_BUFFER and PTR_TO_BUF.
> The PTR_TO_BUF is reachable from helpers/kfuncs with custom 'size' 
> assignments,
> as far as I understand.
> 
> Sun, of checks added by this patch:
> 
> >     var_off = (s64)reg->var_off.value;
> >     if (var_off >= BPF_MAX_VAR_OFF || var_off <= -BPF_MAX_VAR_OFF)
> 
> This should hold already.

FWIW, I had thought so, but after checking I realize that the verifier
only ensure that

  -BPF_MAX_VAR_OFF < smin < BPF_MAX_VAR_OFF

holds true in check_reg_sane_offset_{scalar,ptr}(), and does not check
smax, so technically var_off.value can be greater than BPF_MAX_VAR_OFF
when we reach here, just that it doesn't really matter much as it is
rejected anyway. And if it is a constant then smin=smax, so for a
constant value it does always falls between +-BPF_MAX_VAR_OFF.

  0: (79) r6 = *(u64 *)(r1 +0)          ; R1=ctx() R6=tp_buffer()
  1: (85) call bpf_get_prandom_u32#7    ; R0=scalar()
  2: (bf) r2 = r0                       ; R0=scalar(id=1) R2=scalar(id=1)
  3: (67) r2 <<= 32                     ; 
R2=scalar(smax=0x7fffffff00000000,smin32=0,smax32=umax32=0,var_off=(0x0; 
0xffffffff00000000))
  4: (77) r2 >>= 32                     ; 
R2=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff))
  5: (07) r2 += 536870911               ; 
R2=scalar(smin=umin=0x1fffffff,smax=umax=0x11ffffffe,var_off=(0x0; 0x1ffffffff))
                /* r2 is now [2^29 - 1, 2^32 + 2^29 - 2] */
  6: (0f) r6 += r2
  7: R2=scalar(smin=umin=0x1fffffff,smax=umax=0x11ffffffe,var_off=(0x0; 
0x1ffffffff)) 
R6=tp_buffer(smin=umin=0x1fffffff,smax=umax=0x11ffffffe,var_off=(0x0; 
0x1ffffffff))
  7: (79) r0 = *(u64 *)(r6 +0)
  R6 invalid variable buffer offset: off=0, var_off=(0x0; 0x1ffffffff)

In short, it is much simpler to just check tnum_is_const() right away
before using var_off.value.

> >     start = var_off + off;
> >     if (start < 0)
> 
> This one is necessary.
> 
> >     if (size < 0) {
> 
> Technically this one is bounded by 1,2,4,8 in case of instructions and
> by BPF_MAX_VAR_SIZ in case of a helper/kfunc (see check_mem_size_reg()).

Oh right, missed the check_mem_size_reg() case. But as Eduard said, this
should still be bounded, so can drop this check.

[...]

Reply via email to