Re: [PATCH bpf v3 0/2] bpf: Fix SOCK_OPS_GET_SK same-register OOB read in sock_ops and add selftest

Next message: anthony . yznaga: "Re: [PATCH v2 2/2] selftests/mm: verify droppable mappings cannot be locked"
Previous message: Veronika Kossmann: "Re: [PATCH] hwmon: (asus-ec-sensors) add ROG STRIX B650E-E GAMING WIFI"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH bpf v3 0/2] bpf: Fix SOCK_OPS_GET_SK same-register OOB read in sock_ops and add selftest"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin KaFai Lau

Date: Wed Apr 08 2026 - 16:35:53 EST

On Tue, Apr 07, 2026 at 10:26:26AM +0800, Jiayuan Chen wrote:
> When a BPF sock_ops program accesses ctx fields with dst_reg == src_reg,
> the SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the
> destination register in the !fullsock / !locked_tcp_sock path, leading to
> OOB read (GET_SK) and kernel pointer leak (GET_FIELD).

Acked-by: Martin KaFai Lau <martin.lau@xxxxxxxxxx>

Jakub, can you help to push it to the net tree? Thanks!