Re: [PATCH bpf v2 2/7] bpf, sockmap: Fix wrong rsge offset in bpf_msg_push_data()

From: Emil Tsalapatis

Date: Thu Jun 11 2026 - 12:52:48 EST

On Thu Jun 11, 2026 at 8:34 AM EDT, Jiayuan Chen wrote:
> From: Weiming Shi <bestswngs@xxxxxxxxx>
>
> When bpf_msg_push_data() splits a scatterlist element into head and
> tail, the tail's page offset is advanced by `start` (absolute message
> byte offset) instead of `start - offset` (byte position within the
> element). This makes rsge.offset overshoot by `offset` bytes, pointing
> to the wrong location within the page or beyond its boundary. Consumers
> of the corrupted entry either silently read wrong data or trigger an
> out-of-bounds access.
>
> BUG: KASAN: slab-use-after-free in bpf_msg_pull_data (net/core/filter.c:2728)
> Read of size 32752 at addr ffff8881042f0010 by task poc/130
> Call Trace:
> __asan_memcpy (mm/kasan/shadow.c:105)
> bpf_msg_pull_data (net/core/filter.c:2728)
> bpf_prog_run_pin_on_cpu (include/linux/bpf.h:1402)
> sk_psock_msg_verdict (net/core/skmsg.c:934)
> tcp_bpf_send_verdict (net/ipv4/tcp_bpf.c:421)
> sock_sendmsg_nosec (net/socket.c:727)

Reviewed-by: Emil Tsalapatis <emil@xxxxxxxxxxxxxxx>

>
> Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
> Reported-by: Xiang Mei <xmei5@xxxxxxx>
> Reviewed-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>
> Cc: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>
> Signed-off-by: Weiming Shi <bestswngs@xxxxxxxxx>
> ---
> To sashiko:
>
> Regarding bpf_msg_push_data() reading "copy = msg->sg.data[i].length" with
> i == msg->sg.end (appending at the very end of a full/near-full ring):
>
> This is pre-existing code, not touched by this series, and reproducing it needs
> a narrow combination -- a pure append at the end so the loop exits with
> i == msg->sg.end, a full/near-full ring, plus a prior push/pop history that
> leaves a stale length in the otherwise-unused end slot. A freshly built ring
> zeroes that slot, so copy stays 0. We don't consider it practically reproducible.
>
> Even then it's already covered: the overflow check in patch 1 ("copy + len <
> copy") rejects the dangerous case, and __GFP_ZERO in patch 3 prevents any data
> exposure. Not worth fixing here.
> ---
> net/core/filter.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 3c8f1cedb217f..3e555f276ba80 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -2872,7 +2872,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start,
>
> psge->length = start - offset;
> rsge.length -= psge->length;
> - rsge.offset += start;
> + rsge.offset += start - offset;
>
> sk_msg_iter_var_next(i);
> sg_unmark_end(psge);