lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <e80e8faecbfd7099950485f4de08a1226ae10282ec44fe9e6b3610fcb00c8400@mail.kernel.org>
Date: Fri, 19 Dec 2025 02:15:11 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: roman.gushchin@...ux.dev,bpf@...r.kernel.org,linux-mm@...ck.org,linux-kernel@...r.kernel.org
Cc: inwardvessel@...il.com,ast@...nel.org,daniel@...earbox.net,shakeel.butt@...ux.dev,mhocko@...nel.org,hannes@...xchg.org,roman.gushchin@...ux.dev,mhocko@...e.com,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v1 4/6] mm: introduce BPF kfuncs to access memcg statistics and events

> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
> index 6d0d73bf0dd1..4d9d7d909f6c 100644
> --- a/mm/bpf_memcontrol.c
> +++ b/mm/bpf_memcontrol.c

[ ... ]

> +/**
> + * bpf_mem_cgroup_vm_events - Read memory cgroup's vm event counter
> + * @memcg: memory cgroup
> + * @event: event id
> + *
> + * Allows to read memory cgroup event counters.
> + */
> +__bpf_kfunc unsigned long bpf_mem_cgroup_vm_events(struct mem_cgroup *memcg,
> +						enum vm_event_item event)
> +{
> +	return memcg_events(memcg, event);
> +}

Should bpf_mem_cgroup_vm_events() validate the event parameter before
passing it to memcg_events()? The call chain is:

  bpf_mem_cgroup_vm_events() -> memcg_events() -> memcg_events_index()

And memcg_events_index() does:

  return mem_cgroup_events_index[idx];

where mem_cgroup_events_index is an array of size NR_VM_EVENT_ITEMS. If a
BPF program passes event >= NR_VM_EVENT_ITEMS, this would be an
out-of-bounds array read.

The sister function bpf_mem_cgroup_page_state() below validates its idx
parameter before calling its callee:

> +/**
> + * bpf_mem_cgroup_page_state - Read memory cgroup's page state counter
> + * @memcg: memory cgroup
> + * @idx: counter idx
> + *
> + * Allows to read memory cgroup statistics. The output is in bytes.
> + */
> +__bpf_kfunc unsigned long bpf_mem_cgroup_page_state(struct mem_cgroup *memcg, int idx)
> +{
> +	if (idx < 0 || idx >= MEMCG_NR_STAT)
> +		return (unsigned long)-1;
> +
> +	return memcg_page_state_output(memcg, idx);
> +}

Should bpf_mem_cgroup_vm_events() have a similar bounds check, perhaps:

  if (event >= NR_VM_EVENT_ITEMS)
      return (unsigned long)-1;

before calling memcg_events()?

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20357445962

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ