BTF struct walks can relax the top-level struct-size check for trailing flexible arrays. That relaxation must not let a PTR_TO_BTF_ID | MEM_ALLOC access escape the bytes allocated by bpf_obj_new() or bpf_percpu_obj_new().
Patch 1 rejects MEM_ALLOC BTF walks whose access range reaches past the current struct size before applying the flexible-array relaxation. This now also applies to struct ID matching used by kfunc and kptr type checks. Patch 2 adds a linked_list negative loader case for this path. Changes in v3: - Pass the flexible-array walk policy through btf_struct_ids_match() callers, so MEM_ALLOC kfunc/kptr type checks use the same bounds rule. - Rename the btf_struct_walk() parameter to walk_flex_arrays. - Rebase onto current bpf-next. v2: https://lore.kernel.org/bpf/[email protected]/ v1: https://lore.kernel.org/bpf/[email protected]/ Yiyang Chen (2): bpf: Reject MEM_ALLOC BTF accesses past object bounds selftests/bpf: Cover MEM_ALLOC access past object bounds include/linux/bpf.h | 2 +- kernel/bpf/btf.c | 17 +++++++++----- kernel/bpf/verifier.c | 11 +++++---- .../selftests/bpf/prog_tests/linked_list.c | 1 + .../selftests/bpf/progs/linked_list_fail.c | 23 +++++++++++++++++++ 5 files changed, 43 insertions(+), 11 deletions(-) base-commit: 53435562a725962e4de0c29653223129ba11643a -- 2.34.1

