bpf: reject direct access to nullable PTR_TO_BUF pointers

check_mem_access() matches PTR_TO_BUF via base_type() which strips
PTR_MAYBE_NULL, allowing direct dereference without a null check.

Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL.
On stop callbacks these are NULL, causing a kernel NULL dereference.

Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the
existing PTR_TO_BTF_ID pattern.

Fixes: 20b2aff4bc15 ("bpf: Introduce MEM_RDONLY flag")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260402092923.38357-2-tpluszz77@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a3388cb8fcbdf9c29591e72031cc9e66d483376d..df04dccfc540971d46d1b01cda3c268aca9200d1 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7905,7 +7905,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
        } else if (reg->type == CONST_PTR_TO_MAP) {
                err = check_ptr_to_map_access(env, regs, regno, off, size, t,
                                              value_regno);
-       } else if (base_type(reg->type) == PTR_TO_BUF) {
+       } else if (base_type(reg->type) == PTR_TO_BUF &&
+                  !type_may_be_null(reg->type)) {
                bool rdonly_mem = type_is_rdonly_mem(reg->type);
                u32 *max_access;