On Thu Jun 11, 2026 at 5:34 AM PDT, Jiayuan Chen wrote: > From: Weiming Shi <[email protected]> > > When the scatterlist ring is full or nearly full, bpf_msg_push_data() > enters a copy fallback path and computes copy + len for the page > allocation size. Since len comes from BPF with arg3_type = ARG_ANYTHING > and both are u32, a crafted len can wrap the sum to a small value, > causing an undersized allocation followed by an out-of-bounds memcpy. > > BUG: unable to handle page fault for address: ffffed104089a402 > Oops: Oops: 0000 [#1] SMP KASAN NOPTI > Call Trace: > __asan_memcpy (mm/kasan/shadow.c:105) > bpf_msg_push_data (net/core/filter.c:2852 net/core/filter.c:2788) > bpf_prog_9ed8b5711920a7d7+0x2e/0x36 > sk_psock_msg_verdict (net/core/skmsg.c:934) > tcp_bpf_sendmsg (net/ipv4/tcp_bpf.c:421 net/ipv4/tcp_bpf.c:584) > __sys_sendto (net/socket.c:2206) > do_syscall_64 (arch/x86/entry/syscall_64.c:94) > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) > > Add an overflow check before the allocation. > > Link: https://lore.kernel.org/all/[email protected] > Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data") > Tested-by: Xiang Mei <[email protected]> > Tested-by: Xinyu Ma <[email protected]> > Reviewed-by: Jiayuan Chen <[email protected]> > Cc: Jiayuan Chen <[email protected]> > Signed-off-by: Weiming Shi <[email protected]>
That's not the right way to post somebody else patches. You need to keep their authorship and SOB (as you did), but you also need to add your SOB after theirs. also pls target bpf-next. pw-bot: cr
