git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Yazhou Tang <tangyazhou518@outlook.com>
	Wed, 6 May 2026 09:47:12 +0000 (17:47 +0800)
committer	Alexei Starovoitov <ast@kernel.org>
	Mon, 11 May 2026 15:27:01 +0000 (08:27 -0700)
commit	4314a44564eb1565349fed7a4192344c5f46fc85
tree	e93b3660ea4948373246116dae2f6aeb262405c4	tree \| snapshot
parent	5d6919055dec134de3c40167a490f33c74c12581	commit \| diff

bpf: Fix out-of-bounds read in bpf_patch_call_args()

The interpreters_args array only accommodates stack depths up to
MAX_BPF_STACK (512 bytes). However, do_misc_fixups() may allow a larger
stack depth if JIT is requested.

If JIT compilation later fails and falls back to the interpreter, the
verifier invokes bpf_patch_call_args() with this oversized stack depth.
This causes a load-time out-of-bounds (OOB) read when calculating the
interpreter function pointer index.

Fix this by changing bpf_patch_call_args() to return an int and explicitly
rejecting the JIT fallback (returning -EINVAL) if the stack depth exceeds
MAX_BPF_STACK.

Fixes: 1ea47e01ad6e ("bpf: add support for bpf_call to interpreter")
Co-developed-by: Tianci Cao <ziye@zju.edu.cn>
Signed-off-by: Tianci Cao <ziye@zju.edu.cn>
Co-developed-by: Shenghao Yuan <shenghaoyuan0928@163.com>
Signed-off-by: Shenghao Yuan <shenghaoyuan0928@163.com>
Signed-off-by: Yazhou Tang <tangyazhou518@outlook.com>
Acked-by: Xu Kuohai <xukuohai@huawei.com>
Link: https://lore.kernel.org/r/20260506094714.419842-2-tangyazhou@zju.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

include/linux/bpf.h		diff \| blob \| blame \| history
kernel/bpf/core.c		diff \| blob \| blame \| history
kernel/bpf/fixups.c		diff \| blob \| blame \| history