Hi, On 4/6/2024 9:44 PM, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 443574b03387 riscv, bpf: Fix kfunc parameters incompatibil.. > git tree: bpf > console+strace: https://syzkaller.appspot.com/x/log.txt?x=148ad855180000 > kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440 > dashboard link: https://syzkaller.appspot.com/bug?extid=9459b5d7fab774cf182f > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d86795180000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143eff76180000 According to the reproducer, it passes a big value_size (0xfffffe00) when creating bloom filter map. The big value_size bypasses the check in check_stack_access_within_bounds(). I think a proper fix needs to add these following two checks: (1) in check_stack_access_within_bounds() add check for negative access_size (2) in bloom_map_alloc() limit the max value of bloom_map_alloc(). Will post a patch to fix the syzbot report. Will also check whether or not there are similar problems for other bpf maps.
