On Mon, 2026-07-13 at 13:05 +0800, Shung-Hsi Yu wrote:
> On Fri, Jul 10, 2026 at 06:27:41PM +0800, sun jian wrote:
> [...]
> > One detail about the attach-time check: I agree that some negative-offset
> > constructions can still be rejected later if the max_tp_access accounting
> > produces a large value. But the runtime reproducer I used exercises this
> > specific access:
> >
> > r6 = *(u64 *)(r1 + 0)
> > r6 += -8
> > *(u64 *)(r6 + 0) = 0
> >
> > Here reg->var_off.value is (u64)-8, off is 0, and size is 8. With the
> > current
> > accounting,
> > reg->var_off.value + off + size
> > wraps to 0. So max_tp_access records 0 and the attach-time writable_size
> > check
> > does not reject it, even though the effective access starts at -8.
>
> Yes, that should had been rejected.
>
> > On the bpf base without the verifier fix, the temporary reproducer did load
> > and attach successfully:
> > negative_bpf_load: PASS
> > negative_raw_tp_open: PASS
> > negative_test_run: PASS
> > and KASAN reported the stack-out-of-bounds write in ___bpf_prog_run.
> >
> > So for this particular range, this looks like more than a load-time policy
> > difference: the missing lower-bound check leaves the access executable on
> > the
> > bpf tree.
>
> Actually I got this reproduced in the *bpf-next* tree now. And I think I
> know why Eduard wasn't able to reproduce the issue.
>
> The main problem was that CONFIG_BLK_DEV_NBD was not enabled in the
> default BPF selftests configuration, so nbd_send_request wasn't
> available, and thus the attachment always fail with -2 without
> exercising the checks that we have in bpf_probe_register().
>
> With CONFIG_BLK_DEV_NBD enabled, and negative_var_off_program[] updated
> to do use offset of 0 (instead of 28 + 8), I was able to reproduce the
> issue on top of commit `9a3a07d06e7d` "Merge branch
> 'bpf-fix-warning-in-bpf_trampoline_multi_detach'" with the following
> updated version of your patch.
>
> 0: R1=ctx() R10=fp0
> 0: (79) r6 = *(u64 *)(r1 +0) ; R1=ctx() R6=tp_buffer()
> 1: (07) r6 += -8 ; R6=tp_buffer(imm=-8)
> 2: (79) r0 = *(u64 *)(r6 +0) ; R0=scalar() R6=tp_buffer(imm=-8)
> 3: (95) exit
> processed 4 insns (limit 1000000) max_states_per_insn 0 total_states 0
> peak_states 0 mark_read 0
> tp_fd: 8
> check_nbd_attach_reject:FAIL:nbd_invalid_negative_var_off unexpected
> nbd_invalid_negative_var_off: actual 8 >= expected 0
> #319 raw_tp_writable_reject_nbd_invalid:FAIL
>
> So I would say a fixes tag that points to 022ac0750883 is still needed
> after all.
Hi Shung-Hsi, Sun,
Shung-Hsi, thank you for figuring out the quirk with the config.
Indeed if I modify the test to be config independent the following
program is both accepted at load and attached:
*r6 = *(u64 *)(r1 +0)
r6 += -8
r0 = *(u64 *)(r6 +0)
Worse yet, the mechanism affects both PTR_TO_TP_BUFFER and PTR_TO_BUF.
The PTR_TO_BUF is reachable from helpers/kfuncs with custom 'size' assignments,
as far as I understand.
Sun, of checks added by this patch:
> var_off = (s64)reg->var_off.value;
> if (var_off >= BPF_MAX_VAR_OFF || var_off <= -BPF_MAX_VAR_OFF)
This should hold already.
> start = var_off + off;
> if (start < 0)
This one is necessary.
> if (size < 0) {
Technically this one is bounded by 1,2,4,8 in case of instructions and
by BPF_MAX_VAR_SIZ in case of a helper/kfunc (see check_mem_size_reg()).
Let's respin v5 keeping minimal necessary checks and also update the
test case:
- use sub-tests.
- move raw_tp_writable_reject_nbd_invalid.c to use tracepoing from
the test module instead of nbd, to avoid nbd config dependency
(as in the attachment).
- if possible, could you please add a test that shows missing negative
offset access check to PTR_TO_BUF?
[...]
diff --git a/tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_nbd_invalid.c b/tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_bad_access.c
similarity index 75%
rename from tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_nbd_invalid.c
rename to tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_bad_access.c
index 216b0dfac0fe..e0a1ca3c1e6a 100644
--- a/tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_nbd_invalid.c
+++ b/tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_bad_access.c
@@ -1,10 +1,10 @@
// SPDX-License-Identifier: GPL-2.0
#include <test_progs.h>
-#include <linux/nbd.h>
+#include "test_kmods/bpf_testmod.h"
#include "bpf_util.h"
-void test_raw_tp_writable_reject_nbd_invalid(void)
+void test_raw_tp_writable_reject_bad_access(void)
{
__u32 duration = 0;
char error[4096];
@@ -13,9 +13,9 @@ void test_raw_tp_writable_reject_nbd_invalid(void)
const struct bpf_insn program[] = {
/* r6 is our tp buffer */
BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
- /* one byte beyond the end of the nbd_request struct */
+ /* one byte beyond the end of the writable context struct */
BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6,
- sizeof(struct nbd_request)),
+ sizeof(struct bpf_testmod_test_writable_ctx)),
BPF_EXIT_INSN(),
};
@@ -32,7 +32,7 @@ void test_raw_tp_writable_reject_nbd_invalid(void)
"failed: %d errno %d\n", bpf_fd, errno))
return;
- tp_fd = bpf_raw_tracepoint_open("nbd_send_request", bpf_fd);
+ tp_fd = bpf_raw_tracepoint_open("bpf_testmod_test_writable_bare_tp", bpf_fd);
if (CHECK(tp_fd >= 0, "bpf_raw_tracepoint_writable open",
"erroneously succeeded\n"))
goto out_bpffd;