From: Martin KaFai Lau <martin.lau@linux.dev>
To: xulang <xulang@uniontech.com>
Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
daniel@iogearbox.net, dzm91@hust.edu.cn, eddyz87@gmail.com,
haoluo@google.com, ihor.solodrai@linux.dev,
john.fastabend@gmail.com, jolsa@kernel.org, kaiyanm@hust.edu.cn,
kernel@uniontech.com, kpsingh@kernel.org,
linux-kernel@vger.kernel.org, paul.chaignon@gmail.com,
sdf@fomichev.me, song@kernel.org, yonghong.song@linux.dev
Subject: Re: [PATCH bpf 1/2] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage
Date: Mon, 30 Mar 2026 21:39:56 -0700 [thread overview]
Message-ID: <c12eccb7-d0ba-48a2-ba11-59d25958de92@linux.dev> (raw)
In-Reply-To: <FA0A9158227E9982+20260330063228.183119-1-xulang@uniontech.com>
On 3/29/26 11:32 PM, xulang wrote:
>>From looking at git history on pcpu_init_value, the issue should be
>> introduced in commit d3bec0138bfb.
> I've tried for several days, to adjust 'offset' to match the 'data_end', but couldn't
> reproduce this OOB since there seems to be always a 'tail room' after the 'data_end'.
> I've checked how the buffer of a 'skb' is alloced, take driver 'e1000' for example,
> it has many complicated round-up operations, in my test, when I send a UDP package
> with payload size less than 210, the alloced buffer size of a skb seems to be always
> 448, I've also checked the validity of its KASAN shadow memory, it also says 448. when
> I go on increasing the payload size(over 210), for example, 211, the buffer size grows
> sharply, I haven't found out when the 'data_end' reaches the 'tail end' yet, different
> NIC driver may behave differently on the 'tail room'?
It is hard to audit all possible sources.
> In my opinion, 'pcpu_init_value' shouldn't read 8 bytes if it has
> no guarantee that the 'src' is rounded up to 8-bytes.
so make sense not to read more than what the verifier has verified.
Before commit d3bec0138bfb, it didn't round up.
The current pcpu_copy_value() also uses copy_map_value() instead of
copy_map_value_long().
next prev parent reply other threads:[~2026-03-31 4:40 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 5:25 [PATCH bpf v1] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage xulang
2026-03-12 11:51 ` Paul Chaignon
2026-03-12 16:41 ` Yonghong Song
2026-03-12 18:02 ` Paul Chaignon
2026-03-12 19:58 ` Yonghong Song
2026-03-12 16:46 ` Yonghong Song
2026-03-13 20:34 ` Martin KaFai Lau
2026-03-16 13:51 ` xulang
2026-03-16 20:50 ` Martin KaFai Lau
2026-03-16 21:22 ` Ihor Solodrai
2026-03-17 10:02 ` [PATCH bpf 0/2] bpf: Fix and test cgroup storage OOB issue xulang
[not found] ` <20260317100227.2157104-1-xulang@uniontech.com>
2026-03-17 10:02 ` [PATCH bpf 1/2] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage xulang
2026-03-25 1:36 ` Martin KaFai Lau
2026-03-30 6:32 ` xulang
2026-03-31 4:39 ` Martin KaFai Lau [this message]
2026-03-17 10:02 ` [PATCH bpf 2/2] selftests/bpf: Add test for cgroup storage OOB read xulang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c12eccb7-d0ba-48a2-ba11-59d25958de92@linux.dev \
--to=martin.lau@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dzm91@hust.edu.cn \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kaiyanm@hust.edu.cn \
--cc=kernel@uniontech.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul.chaignon@gmail.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=xulang@uniontech.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.