github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 08:08:03 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
linux/kernel/bpf
History
Junyoung Jang 3ac1a467e3 bpf: Fix off-by-one boundary validation in arena direct-value access 
BPF_MAP_TYPE_ARENA accepts BPF_PSEUDO_MAP_VALUE offsets at exactly
the end of the arena mapping (off == arena_size). The boundary check
in arena_map_direct_value_addr() uses `>` instead of `>=`, which
incorrectly allows a one-past-end pointer to be accepted.

Change the condition to `>=` to correctly reject offsets that fall
outside the valid arena user_vm range.

Fixes: 317460317a ("bpf: Introduce bpf_arena.")
Signed-off-by: Junyoung Jang <graypanda.inzag@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260426172505.1947915-1-graypanda.inzag@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-09 16:18:39 -07:00
..
preload umd: Remove usermode driver framework 2025-07-26 21:03:04 +02:00
arena.c bpf: Fix off-by-one boundary validation in arena direct-value access 2026-05-09 16:18:39 -07:00
arraymap.c bpf: Fix RCU stall in bpf_fd_array_map_clear() 2026-04-10 12:10:06 -07:00
backtrack.c bpf: Move backtracking logic to backtrack.c 2026-04-12 12:36:58 -07:00
bloom_filter.c bpf: Lose const-ness of map in map_check_btf() 2026-02-27 15:39:00 -08:00
bpf_cgrp_storage.c bpf: Remove gfp_flags plumbing from bpf_local_storage_update() 2026-04-10 21:22:32 -07:00
bpf_inode_storage.c bpf: Remove gfp_flags plumbing from bpf_local_storage_update() 2026-04-10 21:22:32 -07:00
bpf_insn_array.c bpf: Lose const-ness of map in map_check_btf() 2026-02-27 15:39:00 -08:00
bpf_iter.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
bpf_local_storage.c bpf: Remove gfp_flags plumbing from bpf_local_storage_update() 2026-04-10 21:22:32 -07:00
bpf_lru_list.c bpf: Replace get_next_cpu() with cpumask_next_wrap() 2025-08-18 15:11:02 +02:00
bpf_lru_list.h bpf: Adjust free target to avoid global starvation of LRU map 2025-06-18 18:50:14 -07:00
bpf_lsm_proto.c bpf: annotate file argument as __nullable in bpf_lsm_mmap_file 2025-12-21 10:56:33 -08:00
bpf_lsm.c bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks 2026-04-07 07:57:07 -07:00
bpf_struct_ops.c bpf: Dissociate struct_ops program with map if map_update fails 2026-04-17 12:04:14 -07:00
bpf_task_storage.c bpf: Remove gfp_flags plumbing from bpf_local_storage_update() 2026-04-10 21:22:32 -07:00
btf_iter.c
btf_relocate.c
btf.c btf: Support kernel parsing of BTF with layout info 2026-03-26 13:53:56 -07:00
cfg.c bpf: Move check_cfg() into cfg.c 2026-04-12 12:36:45 -07:00
cgroup_iter.c bpf: add new BPF_CGROUP_ITER_CHILDREN control option 2026-01-27 09:05:54 -08:00
cgroup.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
check_btf.c bpf: Move BTF checking logic into check_btf.c 2026-04-12 12:37:04 -07:00
const_fold.c bpf: Add bpf_compute_const_regs() and bpf_prune_dead_branches() passes 2026-04-03 08:34:36 -07:00
core.c bpf: Add helper to detect indirect jump targets 2026-04-16 07:03:40 -07:00
cpumap.c bpf: Add missing XDP_ABORTED handling in cpumap 2026-03-03 08:37:21 -08:00
cpumask.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
crypto.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
devmap.c bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path 2026-03-24 15:17:20 -07:00
disasm.c bpf: disasm: add support for BPF_JMP|BPF_JA|BPF_X 2025-11-05 17:53:23 -08:00
disasm.h
dispatcher.c bpf: Add kernel symbol for struct_ops trampoline 2024-11-12 17:13:46 -08:00
dmabuf_iter.c bpf: Fix truncated dmabuf iterator reads 2025-12-09 23:48:34 -08:00
fixups.c bpf: Add helper to detect indirect jump targets 2026-04-16 07:03:40 -07:00
hashtab.c Merge patch series "bpf: Fix OOB in pcpu_init_value and add a test" 2026-04-12 13:36:55 -07:00
helpers.c bpf: allow UTF-8 literals in bpf_bprintf_prepare() 2026-04-16 15:53:32 -07:00
inode.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
Kconfig bpf: Update the bpf_prog_calc_tag to use SHA256 2025-09-18 19:10:20 -07:00
kmem_cache_iter.c bpf: Add open coded version of kmem_cache iterator 2024-11-01 11:08:32 -07:00
link_iter.c bpf: Clean up individual BTF_ID code 2025-07-16 18:34:42 -07:00
liveness.c bpf: Don't run arg-tracking analysis twice on main subprog 2026-05-09 16:12:40 -07:00
local_storage.c bpf: fix end-of-list detection in cgroup_storage_get_next_key() 2026-04-05 18:45:05 -07:00
log.c bpf: poison dead stack slots 2026-04-10 15:13:38 -07:00
lpm_trie.c bpf: Lose const-ness of map in map_check_btf() 2026-02-27 15:39:00 -08:00
Makefile bpf: Move BTF checking logic into check_btf.c 2026-04-12 12:37:04 -07:00
map_in_map.c
map_in_map.h
map_iter.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
memalloc.c bpf: Retire rcu_trace_implies_rcu_gp() 2026-04-07 12:24:49 -07:00
mmap_unlock_work.h
mprog.c
net_namespace.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
offload.c bpf: Fix use-after-free in offloaded map/prog info fill 2026-04-09 13:24:32 -07:00
percpu_freelist.c bpf: Convert percpu_freelist.c to rqspinlock 2025-03-19 08:03:05 -07:00
percpu_freelist.h bpf: Convert percpu_freelist.c to rqspinlock 2025-03-19 08:03:05 -07:00
prog_iter.c bpf: Clean up individual BTF_ID code 2025-07-16 18:34:42 -07:00
queue_stack_maps.c bpf: Convert queue_stack map to rqspinlock 2025-04-10 12:51:10 -07:00
range_tree.c bpf: arena: Reintroduce memcg accounting 2026-01-02 14:31:59 -08:00
range_tree.h bpf: Introduce range_tree data structure and use it in bpf arena 2024-11-13 13:52:45 -08:00
relo_core.c
reuseport_array.c
ringbuf.c bpf: Add SPDX license identifiers to a few files 2026-01-16 14:50:00 -08:00
rqspinlock.c mm.git review status for linus..mm-nonmm-stable 2026-02-12 12:13:01 -08:00
rqspinlock.h rqspinlock: Protect waiters in queue from stalls 2025-03-19 08:03:05 -07:00
stackmap.c bpf-next-6.19 2025-12-03 16:54:54 -08:00
states.c bpf: Move state equivalence logic to states.c 2026-04-12 12:36:52 -07:00
stream.c bpf: Add bpf_stream_print_stack stack dumping kfunc 2026-02-03 10:41:16 -08:00
syscall.c bpf: Pass bpf_verifier_env to JIT 2026-04-16 07:03:40 -07:00
sysfs_btf.c Driver core changes for 6.17-rc1 2025-07-29 12:15:39 -07:00
task_iter.c bpf: return VMA snapshot from task_vma iterator 2026-04-10 12:05:16 -07:00
tcx.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
tnum.c bpf: Simplify tnum_step() 2026-03-24 08:45:29 -07:00
token.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
trampoline.c bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim 2026-03-03 15:13:51 -08:00
verifier.c bpf: Fix NULL deref in map_kptr_match_type for scalar regs 2026-04-16 15:20:26 -07:00