lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1b78506003b674f5e66bc7ac61f279a363f5cacc8d2fcb615d06abb0316ef00c@mail.kernel.org>
Date: Sat, 20 Dec 2025 04:29:43 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: roman.gushchin@...ux.dev,bpf@...r.kernel.org,linux-mm@...ck.org,linux-kernel@...r.kernel.org
Cc: inwardvessel@...il.com,ast@...nel.org,daniel@...earbox.net,shakeel.butt@...ux.dev,mhocko@...nel.org,hannes@...xchg.org,roman.gushchin@...ux.dev,mhocko@...e.com,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v2 4/7] mm: introduce BPF kfuncs to access memcg statistics and events

> diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
> index 2d518ad2ad3f..d84fe6f3ed43 100644
> --- a/mm/bpf_memcontrol.c
> +++ b/mm/bpf_memcontrol.c
> @@ -78,6 +78,57 @@ __bpf_kfunc void bpf_put_mem_cgroup(struct mem_cgroup *memcg)
>  	css_put(&memcg->css);
>  }
>
> +/**
> + * bpf_mem_cgroup_vm_events - Read memory cgroup's vm event counter
> + * @memcg: memory cgroup
> + * @event: event id
> + *
> + * Allows to read memory cgroup event counters.
> + */
> +__bpf_kfunc unsigned long bpf_mem_cgroup_vm_events(struct mem_cgroup *memcg,
> +						enum vm_event_item event)
> +{
> +	return memcg_events(memcg, event);
> +}

Should this function validate the event parameter before passing it to
memcg_events()?

The call chain bpf_mem_cgroup_vm_events()->memcg_events()->memcg_events_index()
reaches an array access in memcg_events_index():

    static inline int memcg_events_index(enum vm_event_item idx)
    {
        return mem_cgroup_events_index[idx];
    }

The array mem_cgroup_events_index is declared with size NR_VM_EVENT_ITEMS.
If a BPF program passes an event value >= NR_VM_EVENT_ITEMS, this would
cause an out-of-bounds array read.

For comparison, bpf_mem_cgroup_page_state() below validates its idx
parameter before calling memcg_page_state_output(). A similar check here
would prevent the potential out-of-bounds access:

    if (event < 0 || event >= NR_VM_EVENT_ITEMS)
        return (unsigned long)-1;

> +
> +/**
> + * bpf_mem_cgroup_usage - Read memory cgroup's usage

[ ... ]

> +__bpf_kfunc unsigned long bpf_mem_cgroup_page_state(struct mem_cgroup *memcg, int idx)
> +{
> +	if (idx < 0 || idx >= MEMCG_NR_STAT)
> +		return (unsigned long)-1;
> +
> +	return memcg_page_state_output(memcg, idx);
> +}

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20389033088

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ