On Wed, Apr 5, 2023 at 6:40 PM Andrii Nakryiko <andrii.nakryiko@xxxxxxxxx> wrote: > > Can we check that both fields are zero when entering the syscall? > > Yep, it already happens and is done by generic > bpf_check_uarg_tail_zero() check in __sys_bpf. I thought that check only happens if expected_size > actual_size? I'm thinking of the actual_size == expected_size case, what prevents user space from setting log_size_actual to a non-zero value?
