From: Martin KaFai Lau <martin.lau@linux.dev>
To: xulang <xulang@uniontech.com>,
yonghong.song@linux.dev, Paul Chaignon <paul.chaignon@gmail.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net,
andrii@kernel.org, eddyz87@gmail.com, song@kernel.org,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me,
haoluo@google.com, jolsa@kernel.org, kaiyanm@hust.edu.cn,
huyinhao@hust.edu.cn, dzm91@hust.edu.cn, kernel@uniontech.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf v1] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage
Date: Fri, 13 Mar 2026 13:34:53 -0700 [thread overview]
Message-ID: <db2e04a2-3cf4-40f3-85ef-14197148d027@linux.dev> (raw)
In-Reply-To: <204030CBF30066BE+20260312052525.1254217-1-xulang@uniontech.com>
On 3/11/26 10:25 PM, xulang wrote:
> From: Lang Xu <xulang@uniontech.com>
>
> An out-of-bounds read occurs when copying element from a
> BPF_MAP_TYPE_CGROUP_STORAGE map to another map type with the same
> value_size that is not 8-byte aligned.
>
> The issue happens when:
> 1. A CGROUP_STORAGE map is created with value_size not aligned to
> 8 bytes (e.g., 4 bytes)
> 2. A HASH map is created with the same value_size (e.g., 4 bytes)
> 3. Update element in 2 with data in 1
Please create a selftest for this.
pw-bot: cr
>
> In the kernel, map elements are typically aligned to 8 bytes. However,
> bpf_cgroup_storage_calculate_size() allocates storage based on the exact
> value_size without alignment. When copy_map_value_long() is called, it
> assumes all map values are 8-byte aligned and rounds up the copy size,
> leading to a 4-byte out-of-bounds read from the cgroup storage buffer.
>
> This patch fixes the issue by ensuring cgroup storage allocates 8-byte
> aligned buffers, matching the assumptions in copy_map_value_long().
This is fixing the src side of the "copy_map_value_long(map, dst, src)".
The src could also be from a skb? What is the value_size that the
verifier is checking for bpf_map_update_elem?
next prev parent reply other threads:[~2026-03-13 20:35 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 5:25 [PATCH bpf v1] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage xulang
2026-03-12 11:51 ` Paul Chaignon
2026-03-12 16:41 ` Yonghong Song
2026-03-12 18:02 ` Paul Chaignon
2026-03-12 19:58 ` Yonghong Song
2026-03-12 16:46 ` Yonghong Song
2026-03-13 20:34 ` Martin KaFai Lau [this message]
2026-03-16 13:51 ` xulang
2026-03-16 20:50 ` Martin KaFai Lau
2026-03-16 21:22 ` Ihor Solodrai
2026-03-17 10:02 ` [PATCH bpf 0/2] bpf: Fix and test cgroup storage OOB issue xulang
[not found] ` <20260317100227.2157104-1-xulang@uniontech.com>
2026-03-17 10:02 ` [PATCH bpf 1/2] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage xulang
2026-03-25 1:36 ` Martin KaFai Lau
2026-03-30 6:32 ` xulang
2026-03-31 4:39 ` Martin KaFai Lau
2026-03-17 10:02 ` [PATCH bpf 2/2] selftests/bpf: Add test for cgroup storage OOB read xulang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=db2e04a2-3cf4-40f3-85ef-14197148d027@linux.dev \
--to=martin.lau@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dzm91@hust.edu.cn \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=huyinhao@hust.edu.cn \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kaiyanm@hust.edu.cn \
--cc=kernel@uniontech.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul.chaignon@gmail.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=xulang@uniontech.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.