Hello:
This series was applied to bpf/bpf-next.git (master)
by Martin KaFai Lau <martin.lau@xxxxxxxxxx>:
On Fri, 4 Aug 2023 15:11:11 +0200 you wrote:
> syzbot reported an UBSAN array-index-out-of-bounds access in bpf_mprog_read()
> upon bpf_mprog_detach(). While it did not have a reproducer, I was able to
> manually reproduce through an empty mprog entry which just has miniq present.
>
> The latter is important given otherwise we get an ENOENT error as tcx detaches
> the whole mprog entry. The index 4294967295 was triggered via NULL dtuple.prog
> which then attempts to detach from the back. bpf_mprog_fetch() in this case
> did hit the idx == total and therefore tried to grab the entry at idx -1.
>
> [...]
Here is the summary with links:
- [bpf-next,1/2] bpf: Fix mprog detachment for empty mprog entry
https://git.kernel.org/bpf/bpf-next/c/d210f9735e13
- [bpf-next,2/2] selftests/bpf: Add test for detachment on empty mprog entry
https://git.kernel.org/bpf/bpf-next/c/21ce6abe178a
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
