superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/kernel/bpf
History
Deepanshu Kartikey 9df5fad801 bpf: Reject BPF_MAP_TYPE_INSN_ARRAY in check_reg_const_str() 
BPF_MAP_TYPE_INSN_ARRAY maps store instruction pointers in their
ips array, not string data. The map_direct_value_addr callback for
this map type returns the address of the ips array, which is not
suitable for use as a constant string argument.

When a BPF program passes a pointer to an insn_array map value as
ARG_PTR_TO_CONST_STR (e.g., to bpf_snprintf), the verifier's
null-termination check in check_reg_const_str() operates on the
wrong memory region, and at runtime bpf_bprintf_prepare() can read
out of bounds searching for a null terminator.

Reject BPF_MAP_TYPE_INSN_ARRAY in check_reg_const_str() since this
map type is not designed to hold string data.

Reported-by: syzbot+2c29addf92581b410079@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2c29addf92581b410079
Tested-by: syzbot+2c29addf92581b410079@syzkaller.appspotmail.com
Fixes: 493d9e0d60 ("bpf, x86: add support for indirect jumps")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Acked-by: Anton Protopopov <a.s.protopopov@gmail.com>
Link: https://lore.kernel.org/r/20260107021037.289644-1-kartikey406@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
 		2026-01-07 19:03:46 -08:00
..
preload umd: Remove usermode driver framework 2025-07-26 21:03:04 +02:00
Kconfig bpf: Update the bpf_prog_calc_tag to use SHA256 2025-09-18 19:10:20 -07:00
Makefile bpf, x86: add new map type: instructions array 2025-11-05 17:31:25 -08:00
arena.c mm: consistently use current->mm in mm_get_unmapped_area() 2025-11-16 17:27:57 -08:00
arraymap.c bpf: generalize and export map_get_next_key for arrays 2025-10-21 11:17:25 -07:00
bloom_filter.c
bpf_cgrp_storage.c bpf: use rcu_read_lock_dont_migrate() for bpf_cgrp_storage_free() 2025-08-25 18:52:16 -07:00
bpf_inode_storage.c bpf: use rcu_read_lock_dont_migrate() for bpf_inode_storage_free() 2025-08-25 18:52:16 -07:00
bpf_insn_array.c bpf: force BPF_F_RDONLY_PROG on insn array creation 2025-11-28 15:15:43 -08:00
bpf_iter.c bpf: convert bpf_iter_new_fd() to FD_PREPARE() 2025-11-28 12:42:33 +01:00
bpf_local_storage.c bpf: Replace bpf memory allocator with kmalloc_nolock() in local storage 2025-11-18 16:20:25 -08:00
bpf_lru_list.c bpf: Replace get_next_cpu() with cpumask_next_wrap() 2025-08-18 15:11:02 +02:00
bpf_lru_list.h bpf: Adjust free target to avoid global starvation of LRU map 2025-06-18 18:50:14 -07:00
bpf_lsm.c bpf: Disable file_alloc_security hook 2025-11-28 15:18:28 -08:00
bpf_struct_ops.c bpf: Export necessary symbols for modules with struct_ops 2025-11-10 11:07:34 -08:00
bpf_task_storage.c bpf: use rcu_read_lock_dont_migrate() for bpf_task_storage_free() 2025-08-25 18:52:16 -07:00
btf.c bpf: Allow union argument in trampoline based programs 2025-09-23 12:07:46 -07:00
btf_iter.c
btf_relocate.c
cgroup.c bpf: Convert bpf_sock_addr_kern "uaddr" to sockaddr_unsized 2025-11-04 19:10:33 -08:00
cgroup_iter.c
core.c bpf: Add bpf_has_frame_pointer() 2025-12-09 23:29:42 -08:00
cpumap.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf after rc5 2025-09-11 09:34:37 -07:00
cpumask.c bpf: fix missing kdoc string fields in cpumask.c 2025-03-15 11:48:57 -07:00
crypto.c bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt 2025-09-09 15:07:57 -07:00
devmap.c bpf: Remove redundant __GFP_NOWARN 2025-08-12 14:56:04 -07:00
disasm.c bpf: disasm: add support for BPF_JMP|BPF_JA|BPF_X 2025-11-05 17:53:23 -08:00
disasm.h
dispatcher.c
dmabuf_iter.c bpf: Fix truncated dmabuf iterator reads 2025-12-09 23:48:34 -08:00
hashtab.c bpf: Free special fields when update [lru_,]percpu_hash maps 2025-11-13 09:14:15 -08:00
helpers.c Networking changes for 6.19. 2025-12-03 17:24:33 -08:00
inode.c convert bpf 2025-11-16 01:35:03 -05:00
kmem_cache_iter.c
link_iter.c bpf: Clean up individual BTF_ID code 2025-07-16 18:34:42 -07:00
liveness.c bpf: correct stack liveness for tail calls 2025-11-21 17:45:30 -08:00
local_storage.c bpf: Remove redundant __GFP_NOWARN 2025-08-12 14:56:04 -07:00
log.c bpf, x86: add support for indirect jumps 2025-11-05 17:53:23 -08:00
lpm_trie.c bpf: Convert lpm_trie.c to rqspinlock 2025-03-19 08:03:05 -07:00
map_in_map.c
map_in_map.h
map_iter.c
memalloc.c bpf: replace use of system_unbound_wq with system_dfl_wq 2025-09-08 10:04:37 -07:00
mmap_unlock_work.h
mprog.c
net_namespace.c bpf: Remove attach_type in bpf_netns_link 2025-07-11 11:01:04 -07:00
offload.c net: move misc netdev_lock flavors to a separate header 2025-03-08 09:06:50 -08:00
percpu_freelist.c bpf: Convert percpu_freelist.c to rqspinlock 2025-03-19 08:03:05 -07:00
percpu_freelist.h bpf: Convert percpu_freelist.c to rqspinlock 2025-03-19 08:03:05 -07:00
prog_iter.c bpf: Clean up individual BTF_ID code 2025-07-16 18:34:42 -07:00
queue_stack_maps.c bpf: Convert queue_stack map to rqspinlock 2025-04-10 12:51:10 -07:00
range_tree.c bpf: Use kmalloc_nolock() in range tree 2025-11-06 15:55:19 -08:00
range_tree.h
relo_core.c
reuseport_array.c
ringbuf.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf after 6.18-rc4 2025-11-03 14:59:55 -08:00
rqspinlock.c rqspinlock: Precede non-head waiter queueing with AA check 2025-11-29 09:35:36 -08:00
rqspinlock.h rqspinlock: Protect waiters in queue from stalls 2025-03-19 08:03:05 -07:00
stackmap.c bpf-next-6.19 2025-12-03 16:54:54 -08:00
stream.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf after 6.18-rc5+ 2025-11-14 17:43:41 -08:00
syscall.c Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
sysfs_btf.c Driver core changes for 6.17-rc1 2025-07-29 12:15:39 -07:00
task_iter.c
tcx.c bpf: Remove location field in tcx_link 2025-07-11 11:00:57 -07:00
tnum.c bpf: Improve the general precision of tnum_mul 2025-08-27 15:00:26 -07:00
token.c bpf: convert bpf_token_create() to FD_PREPARE() 2025-11-28 12:42:33 +01:00
trampoline.c bpf: implement "jmp" mode for trampoline 2025-11-24 09:47:04 -08:00
verifier.c bpf: Reject BPF_MAP_TYPE_INSN_ARRAY in check_reg_const_str() 2026-01-07 19:03:46 -08:00