All of lore.kernel.org
 help / color / mirror / Atom feed
From: John Fastabend <john.fastabend@gmail.com>
To: Vuln seeker Cyber Security Team <security@vulnseeker.org>
Cc: bpf@vger.kernel.org
Subject: Re: Responsible Disclosure: Heap Out-of-Bounds Write via Integer Underflow in libbpf parse_cpu_mask_str() (libbpf.c:14446)
Date: Tue, 7 Jul 2026 07:47:32 -0700	[thread overview]
Message-ID: <ak0QM9G74dc3jpWc@john-p8> (raw)
In-Reply-To: <CAO_sQLjn=hghkb7SZr2UWexf=opgLTu5_AHR2uTQrJ1r13vpjg@mail.gmail.com>

On Fri, Jul 03, 2026 at 05:22:30PM +0500, Vuln seeker Cyber Security Team wrote:
>Dear libbpf Security Team,

[...]

>libbpf's CPU mask parser. An integer underflow in parse_cpu_mask_str()
>causes a memset to write far past a shrunk heap allocation, reachable
>end-to-end through the public libbpf_num_possible_cpus() API.

Send the fix seems worth checking to me if we are already checking
start/end. If some app is exposing user input to this then I would
push a report to them.

[...]

>  - Any downstream consumer that feeds untrusted CPU-mask strings to 
>  the
>internal parse_cpu_mask_str helper directly


Not sure why untrusted input is getting here but sure if someone
is piping user input to libbpf let them know. I think if you have
untrusted user input hitting libbpf you have bigger problems.

[...]

>
>  if (start < *mask_sz)
>      return -EINVAL;  // "CPU range out of order or overlapping"
>

Send a fix. Thanks.

  reply	other threads:[~2026-07-07 14:47 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 12:22 Responsible Disclosure: Heap Out-of-Bounds Write via Integer Underflow in libbpf parse_cpu_mask_str() (libbpf.c:14446) Vuln seeker Cyber Security Team
2026-07-07 14:47 ` John Fastabend [this message]
2026-07-08  7:33   ` Vuln seeker Cyber Security Team

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ak0QM9G74dc3jpWc@john-p8 \
    --to=john.fastabend@gmail.com \
    --cc=bpf@vger.kernel.org \
    --cc=security@vulnseeker.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.