Commit 3ac1a467 authored Apr 27, 2026 by Junyoung Jang Committed by Alexei Starovoitov May 09, 2026

bpf: Fix off-by-one boundary validation in arena direct-value access



BPF_MAP_TYPE_ARENA accepts BPF_PSEUDO_MAP_VALUE offsets at exactly
the end of the arena mapping (off == arena_size). The boundary check
in arena_map_direct_value_addr() uses `>` instead of `>=`, which
incorrectly allows a one-past-end pointer to be accepted.

Change the condition to `>=` to correctly reject offsets that fall
outside the valid arena user_vm range.

Fixes: 31746031 ("bpf: Introduce bpf_arena.")
Signed-off-by: Junyoung Jang <graypanda.inzag@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Link: https://lore.kernel.org/r/20260426172505.1947915-1-graypanda.inzag@gmail.com


Signed-off-by: Alexei Starovoitov <ast@kernel.org>

parent bf6d507f

kernel/bpf/arena.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -511,7 +511,7 @@ static int arena_map_direct_value_addr(const struct bpf_map map, u64 imm, u32
		{
		struct bpf_arena *arena = container_of(map, struct bpf_arena, map);

		if ((u64)off > arena->user_vm_end - arena->user_vm_start)
		if ((u64)off >= arena->user_vm_end - arena->user_vm_start)
		return -ERANGE;
		*imm = (unsigned long)arena->user_vm_start;
		return 0;