[PATCH bpf v3] bpf: Limit signature size to KMALLOC_MAX_CACHE_SIZE

[PATCH bpf v3] bpf: Limit signature size to KMALLOC_MAX_CACHE_SIZE

[KP Singh]

Practical BPF signatures are significantly smaller than
KMALLOC_MAX_CACHE_SIZE

Allowing larger sizes opens the door for abuse by passing excessive
size values and forcing the kernel into expensive allocation paths (via
kmalloc_large or vmalloc).

Fixes: 349271568303 ("bpf: Implement signature verification for BPF programs")
Reported-by: Chris Mason <clm@meta.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 kernel/bpf/syscall.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 4ff82144f885..15e87f507991 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2820,6 +2820,12 @@ static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr
 	void *sig;
 	int err = 0;
 
+	/* Don't attempt to use kmalloc_large or vmalloc for signatures.
+	 * Practical signature for BPF program should be below this limit.
+	 */
+	if (attr->signature_size > KMALLOC_MAX_CACHE_SIZE)
+		return -EINVAL;
+
 	if (system_keyring_id_check(attr->keyring_id) == 0)
 		key = bpf_lookup_system_key(attr->keyring_id);
 	else
-- 
2.43.0

Re: [PATCH bpf v3] bpf: Limit signature size to KMALLOC_MAX_CACHE_SIZE

[Daniel Borkmann]

On 2/5/26 7:38 AM, KP Singh wrote:
> Practical BPF signatures are significantly smaller than
> KMALLOC_MAX_CACHE_SIZE
> 
> Allowing larger sizes opens the door for abuse by passing excessive
> size values and forcing the kernel into expensive allocation paths (via
> kmalloc_large or vmalloc).
> 
> Fixes: 349271568303 ("bpf: Implement signature verification for BPF programs")
> Reported-by: Chris Mason <clm@meta.com>
> Signed-off-by: KP Singh <kpsingh@kernel.org>

[ tree would be bpf-next ]

Acked-by: Daniel Borkmann <daniel@iogearbox.net>

> ---

Next time pls add a small changelog below the "---".

>   kernel/bpf/syscall.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
Thanks,
Daniel

Re: [PATCH bpf v3] bpf: Limit signature size to KMALLOC_MAX_CACHE_SIZE

[Alexei Starovoitov]

On Wed, Feb 4, 2026 at 10:38 PM KP Singh <kpsingh@kernel.org> wrote:
>
> Practical BPF signatures are significantly smaller than
> KMALLOC_MAX_CACHE_SIZE
>
> Allowing larger sizes opens the door for abuse by passing excessive
> size values and forcing the kernel into expensive allocation paths (via
> kmalloc_large or vmalloc).
>
> Fixes: 349271568303 ("bpf: Implement signature verification for BPF programs")
> Reported-by: Chris Mason <clm@meta.com>
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>  kernel/bpf/syscall.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 4ff82144f885..15e87f507991 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -2820,6 +2820,12 @@ static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr
>         void *sig;
>         int err = 0;
>
> +       /* Don't attempt to use kmalloc_large or vmalloc for signatures.
> +        * Practical signature for BPF program should be below this limit.
> +        */

Applied and adjusted comment to be in proper kernel style.
We don't use networking style in new code any more.