From: bot+bpf-ci@kernel.org
To: chenyy23@mails.tsinghua.edu.cn,jikos@kernel.org,bentiss@kernel.org,bpf@vger.kernel.org,linux-input@vger.kernel.org
Cc: chenyy23@mails.tsinghua.edu.cn,shuah@kernel.org,ast@kernel.org,daniel@iogearbox.net,andrii@kernel.org,martin.lau@linux.dev,eddyz87@gmail.com,memxor@gmail.com,song@kernel.org,yonghong.song@linux.dev,jolsa@kernel.org,linux-kselftest@vger.kernel.org,linux-kernel@vger.kernel.org,ast@kernel.org,andrii@kernel.org,daniel@iogearbox.net,martin.lau@kernel.org,eddyz87@gmail.com,yonghong.song@linux.dev,clm@meta.com,ihor.solodrai@linux.dev
Subject: Re: [PATCH bpf-next 1/2] HID: bpf: Fix hid_bpf_get_data() range check
Date: Tue, 16 Jun 2026 17:18:01 +0000 (UTC) [thread overview]
Message-ID: <509c1ebe734f2319372b2c5f9b02979f07a7ad5dfb44dfc9062501c1440b6633@mail.kernel.org> (raw)
In-Reply-To: <783681f27625a11ed58f00221be046643232a2fc.1781627122.git.chenyy23@mails.tsinghua.edu.cn>
[-- Attachment #1: Type: text/plain, Size: 2523 bytes --]
> commit 7c433bf4ab2de03b77e22dbd3984e39a386997a2
> Author: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn>
> Date: Tue Jun 16 16:35:06 2026 +0000
>
> HID: bpf: Fix hid_bpf_get_data() range check
>
> hid_bpf_get_data() returns a pointer into the HID-BPF context data when
> the caller-provided offset and size fit inside ctx->allocated_size.
>
> The current check adds rdwr_buf_size and offset before comparing the
> result against ctx->allocated_size. Since both values are unsigned, a
> very large size can wrap the sum below ctx->allocated_size and make the
> helper return a pointer even though the requested range is not contained
> in the backing buffer.
>
> Use a non-wrapping range check instead: reject offsets beyond the
> allocation, then compare the requested size with the remaining bytes
> after the offset.
>
> Fixes: 4171954f56fb ("HID: bpf/dispatch: regroup kfuncs definitions")
> Signed-off-by: Yiyang Chen <chenyy23@mails.tsinghua.edu.cn>
The Fixes tag points to commit 4171954f56fb, but that commit only moved
hid_bpf_get_data() without changing its logic. Its commit message states
"No code change, just move down the hid_bpf_get_data() kfunc definition".
The vulnerable addition pattern 'rdwr_buf_size + offset > ctx->allocated_size'
was actually introduced in commit 658ee5a64fcf ("HID: bpf: allocate data
memory for device_event BPF programs"), which changed the field from ctx->size
to ctx->allocated_size while keeping the same overflow-prone check.
Should the Fixes tag reference the commit that introduced the buggy code:
Fixes: 658ee5a64fcf ("HID: bpf: allocate data memory for device_event BPF programs")
> diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
> index d0130658091b..09b45c40d84f 100644
> --- a/drivers/hid/bpf/hid_bpf_dispatch.c
> +++ b/drivers/hid/bpf/hid_bpf_dispatch.c
> @@ -299,7 +299,8 @@ hid_bpf_get_data(struct hid_bpf_ctx *ctx, unsigned int offset, const size_t rdwr
>
> ctx_kern = container_of(ctx, struct hid_bpf_ctx_kern, ctx);
>
> - if (rdwr_buf_size + offset > ctx->allocated_size)
> + if (offset > ctx->allocated_size ||
> + rdwr_buf_size > ctx->allocated_size - offset)
> return NULL;
>
> return ctx_kern->data + offset;
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27633665618
next prev parent reply other threads:[~2026-06-16 17:18 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 16:35 [PATCH bpf-next 0/2] " Yiyang Chen
2026-06-16 16:35 ` [PATCH bpf-next 1/2] " Yiyang Chen
2026-06-16 17:18 ` bot+bpf-ci [this message]
2026-06-16 22:52 ` Emil Tsalapatis
2026-06-16 16:35 ` [PATCH bpf-next 2/2] selftests/hid: Cover hid_bpf_get_data() size overflow Yiyang Chen
2026-06-16 23:03 ` Emil Tsalapatis
2026-06-20 14:22 ` [PATCH bpf-next v2 0/2] HID: bpf: Fix hid_bpf_get_data() range check Yiyang Chen
2026-06-20 14:22 ` [PATCH bpf-next v2 1/2] " Yiyang Chen
2026-06-20 14:22 ` [PATCH bpf-next v2 2/2] selftests/hid: Cover hid_bpf_get_data() size overflow Yiyang Chen
2026-06-20 15:11 ` bot+bpf-ci
2026-06-22 5:50 ` Yiyang Chen
2026-06-22 6:52 ` [PATCH bpf-next v3 0/3] HID: bpf: Fix hid_bpf_get_data() range check Yiyang Chen
2026-06-22 7:30 ` [PATCH bpf-next v3 1/3] " Yiyang Chen
2026-06-22 7:30 ` [PATCH bpf-next v3 2/3] selftests/hid: Load only requested struct_ops maps Yiyang Chen
2026-06-22 7:30 ` [PATCH bpf-next v3 3/3] selftests/hid: Cover hid_bpf_get_data() size overflow Yiyang Chen
2026-06-22 18:18 ` [PATCH bpf-next v3 1/3] HID: bpf: Fix hid_bpf_get_data() range check Eduard Zingerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=509c1ebe734f2319372b2c5f9b02979f07a7ad5dfb44dfc9062501c1440b6633@mail.kernel.org \
--to=bot+bpf-ci@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bentiss@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=chenyy23@mails.tsinghua.edu.cn \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=ihor.solodrai@linux.dev \
--cc=jikos@kernel.org \
--cc=jolsa@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox