BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Leon Hwang" <leon.hwang@linux.dev>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data
Date: Mon, 29 Jun 2026 15:40:55 +0000	[thread overview]
Message-ID: <20260629154055.6DD941F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260629152406.52582-5-leon.hwang@linux.dev>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Integer truncation in `bpf_object__init_internal_map` leads to buffer overflow when parsing ELF sections larger than 4GB.
--

commit 03705a88bed3644f27861637702d0bad3472613b
Author: Leon Hwang <leon.hwang@linux.dev>

libbpf: Add support for global percpu data

This commit adds support for global percpu data in libbpf by adding a new
".percpu" section. It enables efficient handling of percpu global variables
in BPF programs by using BPF_F_ALL_CPUS during map updates. The mmaped data
is marked as read-only after map population for syscalls.

> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 7162146280a80..6e18a1628e139 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c

[ ... ]

> @@ -1983,7 +1989,7 @@ bpf_object__init_internal_map(struct bpf_object *obj, enum libbpf_map_type type,
>  	}
>  
>  	def = &map->def;
> -	def->type = BPF_MAP_TYPE_ARRAY;
> +	def->type = is_percpu ? BPF_MAP_TYPE_PERCPU_ARRAY : BPF_MAP_TYPE_ARRAY;
>  	def->key_size = sizeof(int);
>  	def->value_size = data_sz;

[Severity: High]
This is a pre-existing issue, but could this integer truncation lead to a
buffer overflow?

If a user supplies a crafted ELF file with a section (like .data, .rodata,
or .percpu) larger than 4GB, the 64-bit data_sz is implicitly truncated when
assigned to the 32-bit def->value_size.

This results in a smaller mmap allocation based on the truncated value. Later
in bpf_object__init_internal_map(), memcpy uses the original 64-bit data_sz:

	if (data)
		memcpy(map->mmaped, data, data_sz);

Can this overflow the allocated buffer when parsing unverified BPF objects?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629152406.52582-1-leon.hwang@linux.dev?part=4

  reply	other threads:[~2026-06-29 15:40 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 15:23 [PATCH bpf-next v8 0/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 1/9] bpf: Drop duplicate blank lines in verifier Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 2/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:50   ` sashiko-bot
2026-06-30  5:50     ` Leon Hwang
2026-07-01 19:31   ` Andrii Nakryiko
2026-07-02  6:15     ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 3/9] libbpf: Probe percpu data feature Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data Leon Hwang
2026-06-29 15:40   ` sashiko-bot [this message]
2026-06-30  5:54     ` Leon Hwang
2026-07-01 19:31       ` Andrii Nakryiko
2026-07-02  6:23         ` Leon Hwang
2026-07-01 19:32   ` Andrii Nakryiko
2026-07-02  6:16     ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 5/9] bpftool: Generate skeleton " Leon Hwang
2026-07-01 16:49   ` Quentin Monnet
2026-07-01 19:32     ` Andrii Nakryiko
2026-07-02  6:24       ` Leon Hwang
2026-07-02 10:14         ` Quentin Monnet
2026-07-02 14:08           ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 6/9] selftests/bpf: Add tests to verify " Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 7/9] selftests/bpf: Test direct reading/writing read-only percpu_array map Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 8/9] selftests/bpf: Test verifier log for global percpu data Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 9/9] selftests/bpf: Verify bpf_iter " Leon Hwang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629154055.6DD941F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=leon.hwang@linux.dev \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox