bpf_msg_pop_data() computes "u64 last = start + len" with u32 operands, so a len close to U32_MAX wraps the sum and passes the bounds check. The pop loop then walks off the end of the sk_msg scatterlist and sk_msg_shift_left() calls put_page() on the empty msg->sg.end slot.
v2: - add selftest (Cong Wang) - change pop to u32 (Emil Tsalapatis) v1: - https://lore.kernel.org/all/[email protected]/ Sechang Lim (2): bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check selftests/bpf: add test for bpf_msg_pop_data() overflow net/core/filter.c | 4 +- .../selftests/bpf/prog_tests/sockmap_basic.c | 48 +++++++++++++++++++ .../bpf/progs/test_sockmap_msg_pop_data.c | 27 +++++++++++ 3 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/test_sockmap_msg_pop_data.c -- 2.43.0
