On Tue, 2025-07-22 at 16:32 +0200, Paul Chaignon wrote:
> The following BPF program, simplified from a syzkaller repro, causes a
> kernel warning:
>
> r0 = *(u8 *)(r1 + 169);
> exit;
>
> With pointer field sk being at offset 168 in __sk_buff. This access is
> detected as a narrower read in bpf_skb_is_valid_access because it
> doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
> and later proceeds to bpf_convert_ctx_access. At that point,
> target_size is null and the verifier errors with a kernel warning and:
>
> verifier bug: error during ctx access conversion(1)
>
> This patch fixes that to return a proper "invalid bpf_context access
> off=X size=Y" error on the load instruction.
>
> The same issue affects multiple other fields in context structures that
> allow narrow access. Some other non-affected fields (for sk_msg,
> sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
> consistency.
>
> Note this syzkaller crash was reported in [1], which used to be about a
> different bug, fixed in commit fce7bd8e385a ("bpf/verifier: Handle
> BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow
> confused the two bugs, the new crash and repro didn't get reported to
> the mailing list.
>
> Link: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec [1]
> Fixes: f96da09473b52 ("bpf: simplify narrower ctx access")
> Fixes: 0df1a55afa832 ("bpf: Warn on internal verifier errors")
> Reported-by: syzbot+0ef84a7bdf5301d4cbec@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Paul Chaignon <paul.chaignon@xxxxxxxxx>
> ---
> Changes in v2:
> - Use bpf_ctx_range{,_ptr} for a few other fields, for consistency,
> as suggested by Eduard and John.
> - Fix accesses to skb_hwtstamp, reported by Eduard.
Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
