From: Martin KaFai Lau <martin.lau@linux.dev>
To: xulang <xulang@uniontech.com>
Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
daniel@iogearbox.net, dzm91@hust.edu.cn, eddyz87@gmail.com,
haoluo@google.com, huyinhao@hust.edu.cn,
john.fastabend@gmail.com, jolsa@kernel.org, kaiyanm@hust.edu.cn,
kernel@uniontech.com, kpsingh@kernel.org,
linux-kernel@vger.kernel.org, paul.chaignon@gmail.com,
sdf@fomichev.me, song@kernel.org, yonghong.song@linux.dev,
ihor.solodrai@linux.dev
Subject: Re: [PATCH bpf v1] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage
Date: Mon, 16 Mar 2026 13:50:15 -0700 [thread overview]
Message-ID: <82ee475b-034a-442c-b290-cc7905a7f33c@linux.dev> (raw)
In-Reply-To: <D3B60D7890B13875+reply-to-v1-review@uniontech.com>
On 3/16/26 6:51 AM, xulang wrote:
> From: Lang Xu <xulang@uniontech.com>
>
>> Please create a selftest for this.
>
> Going to do that. To stably reproduce this bug, I need the KASAN
> config enabled, how do I ensure it's enabled during a selftest cycle,
> by adding the line below to the 'config'? not quite sure.
>
> --- a/tools/testing/selftests/bpf/config
> +++ b/tools/testing/selftests/bpf/config
> @@ -46,6 +46,7 @@ CONFIG_IPV6_GRE=y
> CONFIG_IPV6_SEG6_BPF=y
> CONFIG_IPV6_SIT=y
> CONFIG_IPV6_TUNNEL=y
> +CONFIG_KASAN=y
I would leave out this config change from this fix for now. cc: Ihor to
consider enabling it for bpf-next.
It is still useful to have a selftest for this case. I always have KASAN
turned on when running selftests.
>> This is fixing the src side of the "copy_map_value_long(map, dst, src)".
>> The src could also be from a skb? What is the value_size that the
>> verifier is checking for bpf_map_update_elem?
>
> The value_size checked by verifier is exactly the size with which
> the map is defined, i.e., not the size rounded up to 8-byte by kernel
If the verifier ensures only 4-bytes, I am not sure if the helper should
read 8-bytes.
>
> As for bpf_map_update_elem->..->copy_map_value_long, 'src' couldn't be from
> 'skb' which mismatches the expected ptr-type of 'bpf_map_update_elem',
> I've tried codes like these:
>
> 1. bpf_map_update_elem(&lru_map, &key, skb, BPF_ANY);
> 2. bpf_map_update_elem(&lru_map, &key, skb->sk, BPF_ANY); // null checked
> 3. bpf_map_update_elem(&lru_map, &key, skb->flow_keys, BPF_ANY);
>
> All these ptrs mismatch the expected ptr-type, which can be detected by the verifier.
> The verifier complains with msg like 'R3 type=ctx expected=fp, pkt, pkt_meta, map_key,
> map_value, mem, ringbuf_mem, buf, trusted_ptr'
I meant the __sk_buff->data. Take a look at how skb->data can be used in
the selftests. __sk_buff->data may not have readable bytes rounded up to
8. Just one example that the src cannot always be fixed by allocating more.
From looking at git history on pcpu_init_value, the issue should be
introduced in commit d3bec0138bfb.
next prev parent reply other threads:[~2026-03-16 20:50 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 5:25 [PATCH bpf v1] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage xulang
2026-03-12 11:51 ` Paul Chaignon
2026-03-12 16:41 ` Yonghong Song
2026-03-12 18:02 ` Paul Chaignon
2026-03-12 19:58 ` Yonghong Song
2026-03-12 16:46 ` Yonghong Song
2026-03-13 20:34 ` Martin KaFai Lau
2026-03-16 13:51 ` xulang
2026-03-16 20:50 ` Martin KaFai Lau [this message]
2026-03-16 21:22 ` Ihor Solodrai
2026-03-17 10:02 ` [PATCH bpf 0/2] bpf: Fix and test cgroup storage OOB issue xulang
[not found] ` <20260317100227.2157104-1-xulang@uniontech.com>
2026-03-17 10:02 ` [PATCH bpf 1/2] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage xulang
2026-03-25 1:36 ` Martin KaFai Lau
2026-03-30 6:32 ` xulang
2026-03-31 4:39 ` Martin KaFai Lau
2026-03-17 10:02 ` [PATCH bpf 2/2] selftests/bpf: Add test for cgroup storage OOB read xulang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=82ee475b-034a-442c-b290-cc7905a7f33c@linux.dev \
--to=martin.lau@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dzm91@hust.edu.cn \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=huyinhao@hust.edu.cn \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kaiyanm@hust.edu.cn \
--cc=kernel@uniontech.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul.chaignon@gmail.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=xulang@uniontech.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.