On Sat, 2026-06-06 at 18:50 +0800, Nuoqi Gui wrote:
> Constant pointer arithmetic on a PTR_TO_FLOW_KEYS register lands the
> constant in reg->var_off (e.g. flow_keys(imm=4096)), but the
> PTR_TO_FLOW_KEYS path in check_mem_access() passes only insn->off to
> check_flow_keys_access() and never folds reg->var_off.value. The
> verifier therefore accepts an access that, at runtime, dereferences past
> struct bpf_flow_keys -- a verifier/runtime divergence that yields an
> out-of-bounds read and write of kernel stack memory.
>
> Commit 022ac0750883 ("bpf: use reg->var_off instead of reg->off for
> pointers") removed the generic "off += reg->off" that check_mem_access()
> applied before the per-type dispatch and replaced it with per-path
> folding of reg->var_off.value (for example the ctx path now folds the
> register offset via check_ctx_access()). The PTR_TO_FLOW_KEYS path was
> not given the equivalent fold, so a constant offset that used to be
> folded and rejected is now silently accepted:
>
> before 022ac0750883: the offset stays in reg->off and is folded
> generically, so the access is checked with off=4096 and rejected.
> after 022ac0750883: the offset lands in reg->var_off, the flow_keys
> path checks off=0 and accepts; at runtime the access dereferences
> base + 0x1000.
>
> For a BPF_PROG_TYPE_FLOW_DISSECTOR program the following is accepted:
>
> r2 = *(u64 *)(r1 + 144) ; R2=flow_keys (PTR_TO_FLOW_KEYS)
> r2 += 0x1000 ; R2=flow_keys(imm=4096), accepted
> r0 = *(u64 *)(r2 + 0) ; accepted, var_off.value=0x1000 ignored
>
> while the equivalent insn->off form
>
> r0 = *(u64 *)(r2 + 0x1000)
>
> has the same effective offset but is correctly rejected with
> "invalid access to flow keys off=4096 size=8", which isolates the defect
> to the missing var_off fold. Once attached as a flow dissector, the
> accepted program reads kernel stack past struct bpf_flow_keys (a
> kernel-stack / KASLR information leak) and can likewise write past it,
> corrupting kernel memory.
>
> Fix it by folding reg->var_off.value into the offset before the bounds
> check and rejecting non-constant offsets, mirroring the other pointer
> types (e.g. check_ctx_access()).
>
> No released kernel is affected; the regression is confined to the 7.1
> development cycle (reproduced on v7.1-rc1..rc5), and v7.0.x rejects the
> program above.
>
> Fixes: 022ac0750883 ("bpf: use reg->var_off instead of reg->off for pointers")
> Signed-off-by: Nuoqi Gui <[email protected]>
> ---
Acked-by: Eduard Zingerman <[email protected]>
[...]
