diff options
| author | Kumar Kartikeya Dwivedi <memxor@gmail.com> | 2026-06-09 17:39:46 +0200 |
|---|---|---|
| committer | Kumar Kartikeya Dwivedi <memxor@gmail.com> | 2026-06-09 17:39:47 +0200 |
| commit | f1a660bbd12dd855fce6cf13f144008c4e45e7c7 (patch) | |
| tree | 2a62aaa899e85eae3f0d567e73ed73ceee025105 /include/linux | |
| parent | dd0f9684d2f7d3f99aee63f5fa80562f2207b964 (diff) | |
| parent | af8c3f170f7314d316023efc0ae670384e220b09 (diff) | |
Merge branch 'bpf-enforce-btf-pointer-write-checks-for-global-args'
Nuoqi Gui says:
====================
bpf: Enforce BTF pointer write checks for global args
check_mem_reg() verifies both read and write access when a caller passes
memory into a global subprogram. For PTR_TO_BTF_ID callers,
check_helper_mem_access() currently always checks the access as BPF_READ.
That lets a tracing program pass a task_struct field pointer to a global
subprogram argument typed as writable memory. The direct field store is rejected
with "only read is supported", but the callee is validated with a generic
writable PTR_TO_MEM argument and can store through it.
Forward the requested access type into the PTR_TO_BTF_ID helper-access path and
add verifier coverage for the global-subprogram argument case.
Validation (tested on bpf-next 8496d9020ff3):
Without this series:
direct BTF field store rejected with "only read is supported";
global-subprogram candidate loaded, attached, and runtime-confirmed.
With this series applied:
direct BTF field store rejected with "only read is supported";
global-subprogram candidate rejected with "only read is supported".
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
====================
Link: https://patch.msgid.link/20260609-f01-04-btf-writable-arg-v1-0-f449cd970669@mails.tsinghua.edu.cn
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions