[PATCH bpf-next 0/2] bpf: Reject scalar addition from untrusted memory

Nuoqi Gui Tue, 09 Jun 2026 08:08:30 -0700

scalar += rdonly_untrusted_mem reaches adjust_ptr_min_max_vals() with the
pointer as the source register. The untrusted PTR_TO_MEM case returns there
without updating the scalar destination, leaving stale verifier state.


Reject that addition before the early return. Pointer += scalar remains
handled by the existing untrusted-memory rule.

Patch 1 adds the verifier rejection. Patch 2 adds a verifier regression
test for scalar += bpf_rdonly_cast(..., 0).

Validation:

  unpatched bpf-next 8496d9020ff3:
    BPF_PROG_LOAD -> fd=4 errno=0
    RESULT: verifier ACCEPTED (unexpected_accept)

  patched bpf-next 8496d9020ff3 + this series:
    BPF_PROG_LOAD -> fd=-1 errno=13 (Permission denied)
    R1 tried to add from rdonly_untrusted_mem to scalar
    RESULT: verifier REJECTED as expected

Signed-off-by: Nuoqi Gui <[email protected]>
---
Nuoqi Gui (2):
      bpf: Reject scalar addition from untrusted memory
      selftests/bpf: Cover scalar addition from rdonly untrusted memory

 kernel/bpf/verifier.c                                   |  8 ++++++++
 .../testing/selftests/bpf/progs/mem_rdonly_untrusted.c  | 17 +++++++++++++++++
 2 files changed, 25 insertions(+)
---
base-commit: 8496d9020ff37a33c2a7b2fc84350fd03ffbde78
change-id: 20260609-f01-03-scalar-add-bpf-next-0ccf8a54f338

Best regards,
--  
Nuoqi Gui <[email protected]>

[PATCH bpf-next 0/2] bpf: Reject scalar addition from untrusted memory

Reply via email to