From: Yonghong Song <yonghong.song@linux.dev>
To: Dawei Feng <dawei.feng@seu.edu.cn>, martin.lau@linux.dev
Cc: emil@etsalapatis.com, ast@kernel.org, daniel@iogearbox.net,
andrii@kernel.org, eddyz87@gmail.com, memxor@gmail.com,
song@kernel.org, jolsa@kernel.org, kees@kernel.org,
joel.granados@kernel.org, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
jianhao.xu@seu.edu.cn, Zilin Guan <zilin@seu.edu.cn>
Subject: Re: [PATCH v3 1/3] bpf: NUL-terminate replaced sysctl value
Date: Wed, 3 Jun 2026 07:47:33 -0700 [thread overview]
Message-ID: <555331d6-59e5-4925-a409-2bf4af273799@linux.dev> (raw)
In-Reply-To: <20260603105317.944304-2-dawei.feng@seu.edu.cn>
On 6/3/26 3:53 AM, Dawei Feng wrote:
> When writing to sysctls, proc_sys_call_handler() guarantees that the
> buffer passed to proc handlers is NUL-terminated. If
> bpf_sysctl_set_new_value() replaces the pending sysctl value, it can
> hand a replacement buffer directly to proc handlers. However, the
> helper currently copies only buf_len bytes into that buffer without
> appending a NUL terminator, leaving downstream parsers vulnerable to
> out-of-bounds access.
>
> Fix this by appending a '\0' after the replaced value to restore the
> expected sysctl semantics. Since the helper already rejects buf_len
> greater than PAGE_SIZE - 1, there is always room for the extra byte.
>
> Reproduced in a QEMU x86_64 guest booted with KASAN while exercising
> the sysctl replacement path with a cgroup/sysctl BPF program. The
> reproducer targets `/proc/sys/net/core/flow_limit_cpu_bitmap`, fills
> the original user write buffer with non-zero bytes, and overrides the
> sysctl value so the replacement buffer lacks a terminating NUL. Under
> that setup, the pre-fix kernel reported:
>
> BUG: KASAN: slab-out-of-bounds in strnchrnul+0x72/0x90
> Read of size 1 at addr ffff88800de57000 by task repro_patch3/66
> CPU: 0 UID: 0 PID: 66 Comm: repro_patch3 Not tainted 7.1.0-rc3-00269-g8370ca1f87cc #6 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x68/0xa0
> print_report+0xcb/0x5e0
> ? __virt_addr_valid+0x21d/0x3f0
> ? strnchrnul+0x72/0x90
> ? strnchrnul+0x72/0x90
> kasan_report+0xca/0x100
> ? strnchrnul+0x72/0x90
> strnchrnul+0x72/0x90
> bitmap_parse+0x37/0x2e0
> flow_limit_cpu_sysctl+0xc6/0x840
> ? __pfx_flow_limit_cpu_sysctl+0x10/0x10
> ? __kvmalloc_node_noprof+0x5ba/0x870
> proc_sys_call_handler+0x31d/0x480
> ? __pfx_proc_sys_call_handler+0x10/0x10
> ? selinux_file_permission+0x39f/0x500
> ? lock_is_held_type+0x9e/0x120
> vfs_write+0x98e/0x1000
> ...
> </TASK>
> The buggy address is located 0 bytes to the right of
> allocated 4096-byte region [ffff88800de56000, ffff88800de57000)
> With this fix applied, rerunning the same sysctl-targeted path yields
> no corresponding KASAN reports.
>
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
> ---
> kernel/bpf/cgroup.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index 876f6a81a9b6..2c7f72d3fb11 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
> @@ -2342,6 +2342,7 @@ BPF_CALL_3(bpf_sysctl_set_new_value, struct bpf_sysctl_kern *, ctx,
> return -E2BIG;
>
> memcpy(ctx->new_val, buf, buf_len);
> + ((char *)ctx->new_val)[buf_len] = '\0';
Okay, I looked at your v2 comment and checked the bpf_sysctl_set_new_value again.
You above implementation is correct.
Acked-by: Yonghong Song <yonghong.song@linux.dev>
> ctx->new_len = buf_len;
> ctx->new_updated = 1;
>
next prev parent reply other threads:[~2026-06-03 14:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 10:53 [PATCH v3 0/3] bpf: fix sysctl new-value handling in __cgroup_bpf_run_filter_sysctl Dawei Feng
2026-06-03 10:53 ` [PATCH v3 1/3] bpf: NUL-terminate replaced sysctl value Dawei Feng
2026-06-03 11:36 ` bot+bpf-ci
2026-06-03 14:37 ` Yonghong Song
2026-06-03 23:23 ` Alexei Starovoitov
2026-06-04 19:35 ` Yonghong Song
2026-06-03 14:47 ` Yonghong Song [this message]
2026-06-03 10:53 ` [PATCH v3 2/3] bpf: use kvfree() for replaced sysctl write buffer Dawei Feng
2026-06-03 10:53 ` [PATCH v3 3/3] bpf: Restore sysctl new-value from 1 to 0 Dawei Feng
2026-06-03 11:19 ` Jiayuan Chen
2026-06-03 11:36 ` bot+bpf-ci
2026-06-03 13:32 ` Mykyta Yatsenko
2026-06-05 2:55 ` Xu Kuohai
2026-06-05 23:00 ` [PATCH v3 0/3] bpf: fix sysctl new-value handling in __cgroup_bpf_run_filter_sysctl patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555331d6-59e5-4925-a409-2bf4af273799@linux.dev \
--to=yonghong.song@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dawei.feng@seu.edu.cn \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=jianhao.xu@seu.edu.cn \
--cc=joel.granados@kernel.org \
--cc=jolsa@kernel.org \
--cc=kees@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=song@kernel.org \
--cc=zilin@seu.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.