On 6/12/26 12:53 AM, Alexei Starovoitov wrote:
On Thu Jun 11, 2026 at 5:34 AM PDT, Jiayuan Chen wrote:
From: Weiming Shi <[email protected]>
When the scatterlist ring is full or nearly full, bpf_msg_push_data()
enters a copy fallback path and computes copy + len for the page
allocation size. Since len comes from BPF with arg3_type = ARG_ANYTHING
and both are u32, a crafted len can wrap the sum to a small value,
causing an undersized allocation followed by an out-of-bounds memcpy.
BUG: unable to handle page fault for address: ffffed104089a402
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
Call Trace:
__asan_memcpy (mm/kasan/shadow.c:105)
bpf_msg_push_data (net/core/filter.c:2852 net/core/filter.c:2788)
bpf_prog_9ed8b5711920a7d7+0x2e/0x36
sk_psock_msg_verdict (net/core/skmsg.c:934)
tcp_bpf_sendmsg (net/ipv4/tcp_bpf.c:421 net/ipv4/tcp_bpf.c:584)
__sys_sendto (net/socket.c:2206)
do_syscall_64 (arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Add an overflow check before the allocation.
Link: https://lore.kernel.org/all/[email protected]
Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
Tested-by: Xiang Mei <[email protected]>
Tested-by: Xinyu Ma <[email protected]>
Reviewed-by: Jiayuan Chen <[email protected]>
Cc: Jiayuan Chen <[email protected]>
Signed-off-by: Weiming Shi <[email protected]>
That's not the right way to post somebody else patches.
You need to keep their authorship and SOB (as you did),
but you also need to add your SOB after theirs.
also pls target bpf-next.
Thanks Alexei, and sorry for the noise -- I'm still new to handling other
people's patches.
I'll keep their authorship and SOB and add my own SOB and retarget to
bpf-next.
