lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <873457b2vo.fsf@linux.dev>
Date: Thu, 18 Dec 2025 18:51:23 -0800
From: Roman Gushchin <roman.gushchin@...ux.dev>
To: bot+bpf-ci@...nel.org
Cc: bpf@...r.kernel.org, linux-mm@...ck.org, linux-kernel@...r.kernel.org,
  inwardvessel@...il.com, ast@...nel.org, daniel@...earbox.net,
 shakeel.butt@...ux.dev, mhocko@...nel.org, hannes@...xchg.org,
 andrii@...nel.org, martin.lau@...nel.org, eddyz87@...il.com,
 yonghong.song@...ux.dev, clm@...a.com, ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v1 5/6] mm: introduce BPF kfunc to access
 memory events

bot+bpf-ci@...nel.org writes:

>> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
>> index 4d9d7d909f6c..75076d682f75 100644
>> --- a/mm/bpf_memcontrol.c
>> +++ b/mm/bpf_memcontrol.c
>
> [ ... ]
>
>> +__bpf_kfunc unsigned long bpf_mem_cgroup_memory_events(struct mem_cgroup *memcg,
>> +						enum memcg_memory_event event)
>> +{
>> +	if (event >= MEMCG_NR_MEMORY_EVENTS)
>> +		return (unsigned long)-1;
>> +
>> +	return atomic_long_read(&memcg->memory_events[event]);
>> +}
>
> Could this cause an out-of-bounds access if a BPF program passes a negative
> value for event? The enum type is signed, so if event is -1, the check
> "event >= MEMCG_NR_MEMORY_EVENTS" would evaluate to false (-1 >= 10 is
> false), allowing access to memcg->memory_events[-1].
>
> The existing bpf_mem_cgroup_page_state() in the same file uses both lower
> and upper bound checks:
>
>     if (idx < 0 || idx >= MEMCG_NR_STAT)
>         return (unsigned long)-1;
>
> Should bpf_mem_cgroup_memory_events() follow the same pattern with:
>
>     if (event < 0 || event >= MEMCG_NR_MEMORY_EVENTS)

Same here: the check is enforced by the bpf verifier based on the type
information. Not a real issue.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ