BTF struct walks can relax the top-level struct-size check for trailing flexible arrays. That relaxation must not let a PTR_TO_BTF_ID | MEM_ALLOC access escape the bytes allocated by bpf_obj_new() or bpf_percpu_obj_new().
Patch 1 rejects MEM_ALLOC BTF walks whose access range reaches past the current struct size before applying the flexible-array relaxation. Patch 2 adds a linked_list negative loader case for this path. Changes in v2: - Move the check from bpf_obj_new() type validation to BTF struct walking. - Reject MEM_ALLOC accesses that reach past the allocated object bounds. - Update the selftest expected verifier error and carry Eduard's Acked-by. v1: https://lore.kernel.org/bpf/[email protected]/ Yiyang Chen (2): bpf: Reject MEM_ALLOC BTF accesses past object bounds selftests/bpf: Cover MEM_ALLOC access past object bounds kernel/bpf/btf.c | 14 +++++++---- .../selftests/bpf/prog_tests/linked_list.c | 1 + .../selftests/bpf/progs/linked_list_fail.c | 23 +++++++++++++++++++ 3 files changed, 33 insertions(+), 5 deletions(-) base-commit: a975094bf98ca97be9146f9d3b5681a6f9cf5ce3 -- 2.34.1
