diff options
| author |   Jakub Kicinski <kuba@kernel.org> | 2026-04-12 12:28:07 -0700 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-04-12 12:28:08 -0700 |
| commit | ba69b788ed79d82ed4940fc8dbee9b3f9c5b1a88 (patch) | |
| tree | 90015fcae0717b9697b7782fdf148427056729be /samples/kobject/ssh:/git@git.zx2c4.com/git: | |
| parent | NFC: digital: Bounds check NFC-A cascade depth in SDD response handler (diff) | |
| parent | selftests/bpf: Add tests for sock_ops ctx access with same src/dst register (diff) | |
Merge branch 'bpf-fix-sock_ops_get_sk-same-register-oob-read-in-sock_ops-and-add-selftest'
Jiayuan Chen says:
====================
bpf: Fix SOCK_OPS_GET_SK same-register OOB read in sock_ops and add selftest
When a BPF sock_ops program accesses ctx fields with dst_reg == src_reg,
the SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the
destination register in the !fullsock / !locked_tcp_sock path, leading to
OOB read (GET_SK) and kernel pointer leak (GET_FIELD).
Patch 1: Fix both macros by adding BPF_MOV64_IMM(si->dst_reg, 0) in the
!fullsock landing pad.
Patch 2: Add selftests covering same-register and different-register cases
for both GET_SK and GET_FIELD.
[1] https://lore.kernel.org/bpf/6fe1243e-149b-4d3b-99c7-fcc9e2f75787@std.uestc.edu.cn/T/#u
====================
Link: https://patch.msgid.link/20260407022720.162151-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'samples/kobject/ssh:/git@git.zx2c4.com/git:')
0 files changed, 0 insertions, 0 deletions