[PATCH bpf-next v3 0/2] bpf: Align syscall writeback behavior with user-declared size

[Yuyang Huang]

This series fixes an out-of-bounds write vulnerability in BPF_PROG_QUERY
while maintaining backward compatibility for older userspace applications.

BPF_PROG_QUERY unconditionally writes back the 'query.revision' field
to userspace. If userspace passes a smaller 'bpf_attr' structure (e.g. 40
bytes, which was the cgroup query layout before 'query.revision' was
added), the kernel performs an out-of-bounds write.

We address this by propagating the user-provided 'uattr_size' down to
the cgroup query handlers and conditionally skipping the write-back of
'query.revision' if the buffer is too small. This allows legacy cgroup
queries to succeed safely.

tcx and netkit queries are left unchanged since they were introduced in
the same merge window as 'query.revision' and have no legacy callers.

Finally, we add a selftest to verify these boundary behaviors.

Changes since v2:
- Propagate uattr_size to __cgroup_bpf_query() and conditionally write
  revision (instead of unconditionally rejecting smaller sizes in front-gate).
- Update BPF selftests to verify that cgroup queries succeed with
  OLD_QUERY_SIZE without writing revision, and succeed with FULL_QUERY_SIZE.
- Remove early size checks in the front-gate to keep the patch minimal.

Changes since v1:
- Simplify the kernel fix to checking the size only in bpf_prog_query().
- Revert all other subsystem query plumbing changes.
- Update BPF selftest to target BPF_CGROUP_INET_INGRESS cgroup query, and
  add verification for attr size boundaries.

Yuyang Huang (2):
  bpf: fix BPF_PROG_QUERY OOB write and cgroup backward compat
  selftests/bpf: add verification for BPF_PROG_QUERY attr size
    boundaries

 include/linux/bpf-cgroup.h                    |  5 +-
 kernel/bpf/cgroup.c                           | 13 ++--
 kernel/bpf/syscall.c                          |  6 +-
 .../selftests/bpf/prog_tests/bpf_attr_size.c  | 69 +++++++++++++++++++
 4 files changed, 82 insertions(+), 11 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/bpf_attr_size.c

-- 
2.54.0.823.g6e5bcc1fc9-goog