Re: [PATCH bpf-next v2 4/7] libbpf: Skip initial_value override on signed loaders

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Daniel Borkmann" <daniel@iogearbox.net>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 4/7] libbpf: Skip initial_value override on signed loaders
Date: Mon, 01 Jun 2026 15:58:34 +0000	[thread overview]
Message-ID: <20260601155835.53D8C1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260601150248.394863-5-daniel@iogearbox.net>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Integer overflow in `add_data()`'s `roundup(size, 8)` can cause a massive out-of-bounds `memcpy()`, leading to a heap buffer overflow.
--

commit aaabe67208a39bc461c4602ad17bdd3b78f93227
Author: Daniel Borkmann <daniel@iogearbox.net>

    libbpf: Skip initial_value override on signed loaders

    bpf_gen__map_update_elem() emits code that, when the host-supplied
    loader ctx provides a non-NULL map_desc[idx].initial_value, overwrites
    the blob value with bytes read from the host (bpf_copy_from_user /
    bpf_probe_read_kernel) before the BPF_MAP_UPDATE_ELEM that populates
    the program's .data/.rodata/.bss maps. This override runs after
    emit_signature_match() has validated map->sha[], which lets an untrusted
    host substitute global-variable contents. This patch skips emitting the
    override for signed loaders.

> diff --git a/tools/lib/bpf/gen_loader.c b/tools/lib/bpf/gen_loader.c
> index 66a02039da8ce..a5d9c7a5261b0 100644
> --- a/tools/lib/bpf/gen_loader.c
> +++ b/tools/lib/bpf/gen_loader.c
> @@ -1187,27 +1187,36 @@ void bpf_gen__map_update_elem(struct bpf_gen *gen, int map_idx, void *pvalue,
>  	value = add_data(gen, pvalue, value_size);
>  	key = add_data(gen, &zero, sizeof(zero));

[Severity: High]
This isn't a bug introduced by this patch, but could this call to add_data()
lead to a heap buffer overflow if value_size is extremely large?

Looking at tools/lib/bpf/gen_loader.c:add_data():

static int add_data(struct bpf_gen *gen, const void *data, __u32 size)
{
	__u32 size8 = roundup(size, 8);
...
	if (realloc_data_buf(gen, size8))
		return 0;
	prev = gen->data_cur;
	if (data) {
		memcpy(gen->data_cur, data, size);

If a large size is passed (for example, 0xFFFFFFFC), the roundup(size, 8)
macro would evaluate to size + 7, overflowing the 32-bit unsigned integer
and wrapping around to 0.

This would cause realloc_data_buf() to successfully resize based on the
wrapped size, followed by memcpy() attempting to copy nearly 4GB of data
out of bounds.

Can a maliciously crafted BPF ELF file trigger this integer overflow during
skeleton generation?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260601150248.394863-1-daniel@iogearbox.net?part=4

next prev parent reply	other threads:[~2026-06-01 15:58 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-01 15:02 [PATCH bpf-next v2 0/7] More gen_loader fixes Daniel Borkmann
2026-06-01 15:02 ` [PATCH bpf-next v2 1/7] bpf: Reject exclusive maps as inner maps in map-in-map Daniel Borkmann
2026-06-01 15:18   ` sashiko-bot
2026-06-01 15:40     ` Daniel Borkmann
2026-06-01 15:02 ` [PATCH bpf-next v2 2/7] bpf: Drop redundant hash_buf from map_get_hash operation Daniel Borkmann
2026-06-01 15:29   ` sashiko-bot
2026-06-01 15:02 ` [PATCH bpf-next v2 3/7] libbpf: Reject non-exclusive metadata maps in the signed loader Daniel Borkmann
2026-06-01 16:03   ` bot+bpf-ci
2026-06-01 15:02 ` [PATCH bpf-next v2 4/7] libbpf: Skip initial_value override on signed loaders Daniel Borkmann
2026-06-01 15:48   ` bot+bpf-ci
2026-06-01 15:58   ` sashiko-bot [this message]
2026-06-01 15:02 ` [PATCH bpf-next v2 5/7] libbpf: Skip max_entries " Daniel Borkmann
2026-06-01 15:02 ` [PATCH bpf-next v2 6/7] selftests/bpf: Adjust verifier_map_ptr for the map's excl field Daniel Borkmann
2026-06-01 16:20   ` sashiko-bot
2026-06-01 15:02 ` [PATCH bpf-next v2 7/7] selftests/bpf: Test that exclusive maps are rejected in map-in-map Daniel Borkmann
2026-06-02  1:40 ` [PATCH bpf-next v2 0/7] More gen_loader fixes patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260601155835.53D8C1F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.