Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/kernel/bpf
History
Alexei Starovoitov fa2942918a Merge patch series "bpf: Fix OOB in pcpu_init_value and add a test" 
xulang <xulang@uniontech.com> says:
====================

Fix OOB read when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE
map to another pcpu map with the same value_size that is not rounded
up to 8 bytes, and add a test case to reproduce the issue.

The root cause is that pcpu_init_value() uses copy_map_value_long() which
rounds up the copy size to 8 bytes, but CGROUP_STORAGE map values are not
8-byte aligned (e.g., 4-byte). This causes a 4-byte OOB read when
the copy is performed.
====================

Link: https://lore.kernel.org/r/7653EEEC2BAB17DF+20260402073948.2185396-1-xulang@uniontech.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
 		2026-04-12 13:36:55 -07:00
..
preload
Kconfig
Makefile bpf: Move BTF checking logic into check_btf.c 2026-04-12 12:37:04 -07:00
arena.c bpf: Lose const-ness of map in map_check_btf() 2026-02-27 15:39:00 -08:00
arraymap.c bpf: Fix RCU stall in bpf_fd_array_map_clear() 2026-04-10 12:10:06 -07:00
backtrack.c bpf: Move backtracking logic to backtrack.c 2026-04-12 12:36:58 -07:00
bloom_filter.c bpf: Lose const-ness of map in map_check_btf() 2026-02-27 15:39:00 -08:00
bpf_cgrp_storage.c bpf: Remove gfp_flags plumbing from bpf_local_storage_update() 2026-04-10 21:22:32 -07:00
bpf_inode_storage.c bpf: Remove gfp_flags plumbing from bpf_local_storage_update() 2026-04-10 21:22:32 -07:00
bpf_insn_array.c bpf: Lose const-ness of map in map_check_btf() 2026-02-27 15:39:00 -08:00
bpf_iter.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
bpf_local_storage.c bpf: Remove gfp_flags plumbing from bpf_local_storage_update() 2026-04-10 21:22:32 -07:00
bpf_lru_list.c
bpf_lru_list.h
bpf_lsm.c bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks 2026-04-07 07:57:07 -07:00
bpf_lsm_proto.c bpf: annotate file argument as __nullable in bpf_lsm_mmap_file 2025-12-21 10:56:33 -08:00
bpf_struct_ops.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
bpf_task_storage.c bpf: Remove gfp_flags plumbing from bpf_local_storage_update() 2026-04-10 21:22:32 -07:00
btf.c btf: Support kernel parsing of BTF with layout info 2026-03-26 13:53:56 -07:00
btf_iter.c
btf_relocate.c
cfg.c bpf: Move check_cfg() into cfg.c 2026-04-12 12:36:45 -07:00
cgroup.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
cgroup_iter.c bpf: add new BPF_CGROUP_ITER_CHILDREN control option 2026-01-27 09:05:54 -08:00
check_btf.c bpf: Move BTF checking logic into check_btf.c 2026-04-12 12:37:04 -07:00
const_fold.c bpf: Add bpf_compute_const_regs() and bpf_prune_dead_branches() passes 2026-04-03 08:34:36 -07:00
core.c bpf: Make find_linfo widely available 2026-04-08 18:09:56 -07:00
cpumap.c bpf: Add missing XDP_ABORTED handling in cpumap 2026-03-03 08:37:21 -08:00
cpumask.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
crypto.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
devmap.c bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path 2026-03-24 15:17:20 -07:00
disasm.c bpf: disasm: add support for BPF_JMP|BPF_JA|BPF_X 2025-11-05 17:53:23 -08:00
disasm.h
dispatcher.c
dmabuf_iter.c bpf: Fix truncated dmabuf iterator reads 2025-12-09 23:48:34 -08:00
fixups.c bpf: Move fixup/post-processing logic from verifier.c into fixups.c 2026-04-12 12:35:54 -07:00
hashtab.c Merge patch series "bpf: Fix OOB in pcpu_init_value and add a test" 2026-04-12 13:36:55 -07:00
helpers.c bpf: Retire rcu_trace_implies_rcu_gp() 2026-04-07 12:24:49 -07:00
inode.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
kmem_cache_iter.c
link_iter.c
liveness.c bpf: Move compute_insn_live_regs() into liveness.c 2026-04-12 12:36:38 -07:00
local_storage.c bpf: fix end-of-list detection in cgroup_storage_get_next_key() 2026-04-05 18:45:05 -07:00
log.c bpf: poison dead stack slots 2026-04-10 15:13:38 -07:00
lpm_trie.c bpf: Lose const-ness of map in map_check_btf() 2026-02-27 15:39:00 -08:00
map_in_map.c
map_in_map.h
map_iter.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
memalloc.c bpf: Retire rcu_trace_implies_rcu_gp() 2026-04-07 12:24:49 -07:00
mmap_unlock_work.h
mprog.c
net_namespace.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
offload.c bpf: Fix use-after-free in offloaded map/prog info fill 2026-04-09 13:24:32 -07:00
percpu_freelist.c
percpu_freelist.h
prog_iter.c
queue_stack_maps.c
range_tree.c bpf: arena: Reintroduce memcg accounting 2026-01-02 14:31:59 -08:00
range_tree.h
relo_core.c
reuseport_array.c
ringbuf.c bpf: Add SPDX license identifiers to a few files 2026-01-16 14:50:00 -08:00
rqspinlock.c mm.git review status for linus..mm-nonmm-stable 2026-02-12 12:13:01 -08:00
rqspinlock.h
stackmap.c bpf-next-6.19 2025-12-03 16:54:54 -08:00
states.c bpf: Move state equivalence logic to states.c 2026-04-12 12:36:52 -07:00
stream.c bpf: Add bpf_stream_print_stack stack dumping kfunc 2026-02-03 10:41:16 -08:00
syscall.c bpf: Retire rcu_trace_implies_rcu_gp() 2026-04-07 12:24:49 -07:00
sysfs_btf.c
task_iter.c bpf: return VMA snapshot from task_vma iterator 2026-04-10 12:05:16 -07:00
tcx.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
tnum.c bpf: Simplify tnum_step() 2026-03-24 08:45:29 -07:00
token.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
trampoline.c bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim 2026-03-03 15:13:51 -08:00
verifier.c bpf: Allow instructions with arena source and non-arena dest registers 2026-04-12 12:47:39 -07:00