Re: [PATCH bpf-next v3 0/2] bpf: Align syscall writeback behavior with user-declared size

Next message: Luca Leonardo Scorcia: "[PATCH] pinctrl: mediatek: mt8516: Fix Schmitt trigger register offset of pins 34-39"
Previous message: David Laight: "Re: [PATCH v2] selinux: hooks: use kmalloc() to allocate path buffer"
In reply to: Yuyang Huang: "[PATCH bpf-next v3 2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Sun May 31 2026 - 12:20:20 EST

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@xxxxxxxxxx>:

On Sun, 31 May 2026 15:55:58 +0800 you wrote:
> This series fixes an out-of-bounds write vulnerability in BPF_PROG_QUERY
> while maintaining backward compatibility for older userspace applications.
>
> BPF_PROG_QUERY unconditionally writes back the 'query.revision' field
> to userspace. If userspace passes a smaller 'bpf_attr' structure (e.g. 40
> bytes, which was the cgroup query layout before 'query.revision' was
> added), the kernel performs an out-of-bounds write.
>
> [...]

Here is the summary with links:
- [bpf-next,v3,1/2] bpf: fix BPF_PROG_QUERY OOB write and cgroup backward compat
https://git.kernel.org/bpf/bpf-next/c/21c4b99b27f3
- [bpf-next,v3,2/2] selftests/bpf: add verification for BPF_PROG_QUERY attr size boundaries
https://git.kernel.org/bpf/bpf-next/c/5add3a4ad1a3

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html