lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <cf8d48e8bcdba2515366bc8b6c85f581ca3d18ead24db9cb3ba9b98db252e0b9@mail.kernel.org>
Date: Fri, 19 Dec 2025 02:21:40 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: roman.gushchin@...ux.dev,bpf@...r.kernel.org,linux-mm@...ck.org,linux-kernel@...r.kernel.org
Cc: inwardvessel@...il.com,ast@...nel.org,daniel@...earbox.net,shakeel.butt@...ux.dev,mhocko@...nel.org,hannes@...xchg.org,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access memory events

> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
> index 4d9d7d909f6c..75076d682f75 100644
> --- a/mm/bpf_memcontrol.c
> +++ b/mm/bpf_memcontrol.c

[ ... ]

> +__bpf_kfunc unsigned long bpf_mem_cgroup_memory_events(struct mem_cgroup *memcg,
> +						enum memcg_memory_event event)
> +{
> +	if (event >= MEMCG_NR_MEMORY_EVENTS)
> +		return (unsigned long)-1;
> +
> +	return atomic_long_read(&memcg->memory_events[event]);
> +}

Could this cause an out-of-bounds access if a BPF program passes a negative
value for event? The enum type is signed, so if event is -1, the check
"event >= MEMCG_NR_MEMORY_EVENTS" would evaluate to false (-1 >= 10 is
false), allowing access to memcg->memory_events[-1].

The existing bpf_mem_cgroup_page_state() in the same file uses both lower
and upper bound checks:

    if (idx < 0 || idx >= MEMCG_NR_STAT)
        return (unsigned long)-1;

Should bpf_mem_cgroup_memory_events() follow the same pattern with:

    if (event < 0 || event >= MEMCG_NR_MEMORY_EVENTS)

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20357445962

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ