)]}' { "commit": "d79e2a3f722af5d20208d089d7da9b07124ea6a7", "tree": "3fc464a8def574e5b91854be7d1f0dfaaf5da6a4", "parents": [ "f7770a2505d9cd31b206b91d18e7d3b9cd5001ef" ], "author": { "name": "Paul Chaignon", "email": "paul.chaignon@gmail.com", "time": "Tue Jul 22 16:32:32 2025 +0200" }, "committer": { "name": "Kevin Berry", "email": "kpberry@google.com", "time": "Sat Jan 31 10:14:23 2026 -0800" }, "message": "bpf: Reject narrower access to pointer ctx fields\n\ncommit e09299225d5ba3916c91ef70565f7d2187e4cca0 upstream.\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n r0 \u003d *(u8 *)(r1 + 169);\n exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn\u0027t match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn-\u003eoff\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff\u003dX size\u003dY\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn\u0027t get reported to the mailing list.\n\nBUG\u003db/440033177\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2025-38591 in the Linux kernel.\n\ncos-patch: security-moderate\nFixes: f96da09473b52 (\"bpf: simplify narrower ctx access\")\nFixes: 0df1a55afa832 (\"bpf: Warn on internal verifier errors\")\nReported-by: syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003d0ef84a7bdf5301d4cbec\nChange-Id: Ib157d742569173b07f12826f7c32b5927fc4f86b\nSigned-off-by: Paul Chaignon \u003cpaul.chaignon@gmail.com\u003e\nSigned-off-by: Martin KaFai Lau \u003cmartin.lau@kernel.org\u003e\nAcked-by: Eduard Zingerman \u003ceddyz87@gmail.com\u003e\nLink: https://patch.msgid.link/3b8dcee67ff4296903351a974ddd9c4dca768b64.1753194596.git.paul.chaignon@gmail.com\nSigned-off-by: Shung-Hsi Yu \u003cshung-hsi.yu@suse.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/128181\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Chenglong Tang \u003cchenglongtang@google.com\u003e\nReviewed-by: Kevin Berry \u003ckpberry@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "c0d606c40195d46a78c7807373465fe504bd2dfc", "old_mode": 33188, "old_path": "kernel/bpf/cgroup.c", "new_id": "1ebf40badbf6d7d3553503dc59079479b9711dc1", "new_mode": 33188, "new_path": "kernel/bpf/cgroup.c" }, { "type": "modify", "old_id": "b6636b8238fe2a42f6ace2c05bbf2ae74f248806", "old_mode": 33188, "old_path": "net/core/filter.c", "new_id": "53c7526dc000eb516e540a9a1aad1574d4f9f178", "new_mode": 33188, "new_path": "net/core/filter.c" } ] }