[PATCH bpf v2 0/2] bpf, sockmap: fix bpf_msg_pop_data() integer overflow

Next message: Sechang Lim: "[PATCH bpf v2 2/2] selftests/bpf: add test for bpf_msg_pop_data() overflow"
Previous message: Jian Hu via B4 Relay: "[PATCH v3 0/2] clk: amlogic: Add A9 peripherals clock controller"
Next in thread: Sechang Lim: "[PATCH bpf v2 1/2] bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sechang Lim

Date: Wed Jun 10 2026 - 04:20:31 EST

bpf_msg_pop_data() computes "u64 last = start + len" with u32 operands,
so a len close to U32_MAX wraps the sum and passes the bounds check. The
pop loop then walks off the end of the sk_msg scatterlist and
sk_msg_shift_left() calls put_page() on the empty msg->sg.end slot.

v2:
- add selftest (Cong Wang)
- change pop to u32 (Emil Tsalapatis)

v1:
- https://lore.kernel.org/all/20260609183927.4021802-1-rhkrqnwk98@xxxxxxxxx/

Sechang Lim (2):
bpf, sockmap: fix integer overflow in bpf_msg_pop_data() bounds check
selftests/bpf: add test for bpf_msg_pop_data() overflow

net/core/filter.c | 4 +-
.../selftests/bpf/prog_tests/sockmap_basic.c | 48 +++++++++++++++++++
.../bpf/progs/test_sockmap_msg_pop_data.c | 27 +++++++++++
3 files changed, 77 insertions(+), 2 deletions(-)
create mode 100644 tools/testing/selftests/bpf/progs/test_sockmap_msg_pop_data.c

--
2.43.0