Re: [PATCH bpf-next v3 0/2] bpf, verifier: fix PTR_TO_FLOW_KEYS constant-offset OOB

Next message: CharSyam: "Re: [PATCH v4 0/6] ntfs: validate attribute values on lookup"
Previous message: Alex Elder: "Re: [PATCH next] drivers/block/rbd: Use strscpy() to copy strings into arrays"
In reply to: Eduard Zingerman: "Re: [PATCH bpf-next v3 2/2] selftests/bpf: add tests for PTR_TO_FLOW_KEYS offset bounds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Sat Jun 06 2026 - 20:00:23 EST

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@xxxxxxxxxx>:

On Sat, 06 Jun 2026 18:50:36 +0800 you wrote:
> A constant offset added to a PTR_TO_FLOW_KEYS register lands in
> reg->var_off, but check_flow_keys_access() bounds-checks only insn->off
> and never folds reg->var_off.value. A BPF_PROG_TYPE_FLOW_DISSECTOR
> program can therefore do "flow_keys += 0x1000; *(flow_keys + 0)" and have
> it accepted, then read/write kernel stack past struct bpf_flow_keys at
> runtime. Patch 1 folds reg->var_off.value into the offset (and rejects
> non-constant offsets), mirroring check_ctx_access(); patch 2 adds verifier
> selftests.
>
> [...]

Here is the summary with links:
- [bpf-next,v3,1/2] bpf, verifier: fold reg->var_off into PTR_TO_FLOW_KEYS bounds check
https://git.kernel.org/bpf/bpf-next/c/37363191cbe8
- [bpf-next,v3,2/2] selftests/bpf: add tests for PTR_TO_FLOW_KEYS offset bounds
https://git.kernel.org/bpf/bpf-next/c/3ce6b42458f0

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html