From: Greg KH <gregkh@linuxfoundation.org>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: Viktor Malik <vmalik@redhat.com>,
bpf@vger.kernel.org, Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, lmarch2 <2524158037@qq.com>,
stable@vger.kernel.org, Shung-Hsi Yu <shung-hsi.yu@suse.com>
Subject: Re: [PATCH bpf v2] libbpf: Fix buffer overflow in bpf_object__init_prog
Date: Sat, 12 Apr 2025 08:24:27 +0200 [thread overview]
Message-ID: <2025041242-ignore-python-f4ef@gregkh> (raw)
In-Reply-To: <CAEf4Bzb2S+1TonOp9UH86r0e6aGG2LEA4kwbQhJWr=9Xju=NEw@mail.gmail.com>
On Fri, Apr 11, 2025 at 09:22:37AM -0700, Andrii Nakryiko wrote:
> On Thu, Apr 10, 2025 at 2:55 AM Viktor Malik <vmalik@redhat.com> wrote:
> >
> > As reported by CVE-2025-29481 [1], it is possible to corrupt a BPF ELF
> > file such that arbitrary BPF instructions are loaded by libbpf. This can
> > be done by setting a symbol (BPF program) section offset to a large
> > (unsigned) number such that <section start + symbol offset> overflows
> > and points before the section data in the memory.
> >
> > Consider the situation below where:
> > - prog_start = sec_start + symbol_offset <-- size_t overflow here
> > - prog_end = prog_start + prog_size
> >
> > prog_start sec_start prog_end sec_end
> > | | | |
> > v v v v
> > .....................|################################|............
> >
> > The CVE report in [1] also provides a corrupted BPF ELF which can be
> > used as a reproducer:
> >
> > $ readelf -S crash
> > Section Headers:
> > [Nr] Name Type Address Offset
> > Size EntSize Flags Link Info Align
> > ...
> > [ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040
> > 0000000000000068 0000000000000000 AX 0 0 8
> >
> > $ readelf -s crash
> > Symbol table '.symtab' contains 8 entries:
> > Num: Value Size Type Bind Vis Ndx Name
> > ...
> > 6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp
> >
> > Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
> > point before the actual memory where section 2 is allocated.
> >
> > This is also reported by AddressSanitizer:
> >
> > =================================================================
> > ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
> > READ of size 104 at 0x7c7302fe0000 thread T0
> > #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
> > #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
> > #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
> > #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
> > #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
> > #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
> > #6 0x000000400c16 in main /poc/poc.c:8
> > #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
> > #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
> > #9 0x000000400b34 in _start (/poc/poc+0x400b34)
> >
> > 0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
> > allocated by thread T0 here:
> > #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
> > #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
> > #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
> > #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
> >
> > The problem here is that currently, libbpf only checks that the program
> > end is within the section bounds. There used to be a check
> > `while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
> > removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
> > sections to support overriden weak functions").
> >
> > Put the above condition back to bpf_object__init_prog to make sure that
> > the program start is also within the bounds of the section to avoid the
> > potential buffer overflow.
> >
> > [1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
> >
> > Reported-by: lmarch2 <2524158037@qq.com>
> > Cc: stable@vger.kernel.org
>
> Libbpf is packaged and consumed from Github mirror, which is produced
> from latest bpf-next and bpf trees, so there is no point in
> backporting fixes like this to stable kernel branches. Please drop the
> CC: stable in the next revision.
>
> > Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
> > Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
> > Link: https://www.cve.org/CVERecord?id=CVE-2025-29481
>
> libbpf is meant to load BPF programs under root. It's a
> highly-privileged operation, and libbpf is not meant, designed, and
> actually explicitly discouraged from loading untrusted ELF files. As
> such, this is just a normal bug fix, like lots of others. So let's
> drop the CVE link as well.
>
> Again, no one in their sane mind should be passing untrusted ELF files
> into libbpf while running under root. Period.
>
> All production use cases load ELF that they generated and control
> (usually embedded into their memory through BPF skeleton header). And
> if that ELF file is corrupted, you have problems somewhere else,
> libbpf is not a culprit.
Should that context-less CVE be revoked as well? Who asked for it to be
issued?
thanks,
greg k-h
next prev parent reply other threads:[~2025-04-12 6:24 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-10 9:55 [PATCH bpf v2] libbpf: Fix buffer overflow in bpf_object__init_prog Viktor Malik
2025-04-11 16:22 ` Andrii Nakryiko
2025-04-12 6:24 ` Greg KH [this message]
2025-04-14 5:05 ` Viktor Malik
2025-04-14 4:59 ` Viktor Malik
2025-04-15 9:30 ` Shung-Hsi Yu
2025-04-15 15:32 ` Viktor Malik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025041242-ignore-python-f4ef@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=2524158037@qq.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=shung-hsi.yu@suse.com \
--cc=song@kernel.org \
--cc=stable@vger.kernel.org \
--cc=vmalik@redhat.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.