>This looks like a bug fix for an out-of-bounds write vulnerability.
>Should this include a Fixes: tag to identify which commit introduced the
>unconditional copy_to_user() calls for query.revision without checking
>the user-provided buffer size?
> Fixes: 3fe213c040b3 ("adding ci files")
I completely missed this checkpatch comment. I will add the Fixes tag
in v2 if there is a consensus that this patch is the right approach to
resolve the issue.
On Fri, May 15, 2026 at 5:14 PM <[email protected]> wrote:
>
> > bpf: align syscall writeback behavior with caller-declared size
> >
> > The bpf(cmd, attr, size) syscall copies up to 'size' bytes on input, but
> > several commands write outputs back to userspace unconditionally.
> > Because
> > copy_to_user() does not fault on adjacent mapped memory, a short
> > userspace
> > buffer results in out-of-bounds writes, potentially overwriting adjacent
> > userspace memory.
> >
> > Address this by introducing two policies based on field type:
> >
> > 1) Mandatory fields (original ABI): Return -EINVAL in __sys_bpf() if the
> > buffer size does not cover them. This hardens the syscall front-gate
> > for the following commands:
> > - BPF_PROG_QUERY (min size: query.prog_cnt)
> > - BPF_PROG_TEST_RUN (min size: test.duration)
> > - BPF_*_GET_NEXT_ID (min size: next_id)
> > - BPF_OBJ_GET_INFO_BY_FD (min size: info.info_len)
> > - BPF_TASK_FD_QUERY (minimum size: task_fd_query.probe_addr)
> > - BPF_MAP_*_BATCH (min size: batch.flags)
> >
> > 2) Optional fields (later revisions): Skip writeback if the buffer size
> > does not cover the field. This is applied to BPF_PROG_QUERY's
> > 'query.revision'. Older userspace passing a smaller size (e.g., 40
> > bytes) will have the write safely skipped. This size-gating pattern
> > mirrors the existing precedent used for 'log_true_size' (verifier.c)
> > and 'btf_log_true_size' (btf.c).
> >
> > To support this, the user-declared 'size' is plumbed from __sys_bpf()
> > through the query dispatchers (cgroup, tcx, netkit) to the underlying
> > writeback helpers in cgroup.c and mprog.c.
> >
> > Cc: Maciej Żenczykowski <[email protected]>
> > Cc: Lorenzo Colitti <[email protected]>
> > Signed-off-by: Yuyang Huang <[email protected]>
> > Link:
> > https://lore.kernel.org/r/CANP3RGfZTXM_u=e_atoompzxutoqj02nomkccr-ybzbom2s...@mail.gmail.com
>
> This looks like a bug fix for an out-of-bounds write vulnerability.
> Should this include a Fixes: tag to identify which commit introduced the
> unconditional copy_to_user() calls for query.revision without checking
> the user-provided buffer size?
>
> Fixes: 3fe213c040b3 ("adding ci files")
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/25905928331
