BPF List
 help / color / mirror / Atom feed
From: Leon Hwang <leon.hwang@linux.dev>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: sashiko-reviews@lists.linux.dev, bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data
Date: Thu, 2 Jul 2026 14:23:36 +0800	[thread overview]
Message-ID: <6ac505f6-818d-4abb-bdca-6b96f1ce30f2@linux.dev> (raw)
In-Reply-To: <CAEf4BzbBpDQOG-xUArBzZa_qZ08q=QViH-bbFmqwLNesGvJLUA@mail.gmail.com>

On 2/7/26 03:31, Andrii Nakryiko wrote:
> On Mon, Jun 29, 2026 at 10:55 PM Leon Hwang <leon.hwang@linux.dev> wrote:
>>
>> On 29/6/26 23:40, sashiko-bot@kernel.org wrote:
>> [...]
>>>> @@ -1983,7 +1989,7 @@ bpf_object__init_internal_map(struct bpf_object *obj, enum libbpf_map_type type,
>>>>      }
>>>>
>>>>      def = &map->def;
>>>> -    def->type = BPF_MAP_TYPE_ARRAY;
>>>> +    def->type = is_percpu ? BPF_MAP_TYPE_PERCPU_ARRAY : BPF_MAP_TYPE_ARRAY;
>>>>      def->key_size = sizeof(int);
>>>>      def->value_size = data_sz;
>>>
>>> [Severity: High]
>>> This is a pre-existing issue, but could this integer truncation lead to a
>>> buffer overflow?
>>>
>>> If a user supplies a crafted ELF file with a section (like .data, .rodata,
>>> or .percpu) larger than 4GB, the 64-bit data_sz is implicitly truncated when
>>> assigned to the 32-bit def->value_size.
>>>
>>> This results in a smaller mmap allocation based on the truncated value. Later
>>> in bpf_object__init_internal_map(), memcpy uses the original 64-bit data_sz:
>>>
>>>       if (data)
>>>               memcpy(map->mmaped, data, data_sz);
>>>
>>> Can this overflow the allocated buffer when parsing unverified BPF objects?
>>>
>>
>> Sounds reasonable.
>>
>> The data_sz value comes from the ELF file and therefore cannot be
>> trusted, as the section size can be malformed.
>>
>> For example, readelf -a shows the following for a normal ELF:
>>
>>   [ 3] .data             PROGBITS         0000000000000000  00000040
>>        0000000000000004  0000000000000000  WA       0     0     4
>>
>> The section size can be modified to:
>>
>>   [ 3] .data             PROGBITS         0000000000000000  00000040
>>        0000000100000001  0000000000000000  WA       0     0     4
>>
>> In this case, data_sz would be truncated to 1.
>>
>> However, in practice, there won't be larger than 4GB section in bpf ELF
>> file. And, it is meaningless to hack libbpf to corrupt user space memory.
>>
>> Of course, will post a separate patch for further discussion.
> 
> No, don't. All this hardening of libbpf is nonsensical. libbpf is not
> meant to protect against corrupted ELF. If you don't trust the source
> of ELF, you should definitely not attempt to open BPF object and load
> it into kernel to run with root-like capabilities.
> 
Got it.

I didn't post the separate patch.

Thanks,
Leon


  reply	other threads:[~2026-07-02  6:23 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 15:23 [PATCH bpf-next v8 0/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 1/9] bpf: Drop duplicate blank lines in verifier Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 2/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:50   ` sashiko-bot
2026-06-30  5:50     ` Leon Hwang
2026-07-01 19:31   ` Andrii Nakryiko
2026-07-02  6:15     ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 3/9] libbpf: Probe percpu data feature Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data Leon Hwang
2026-06-29 15:40   ` sashiko-bot
2026-06-30  5:54     ` Leon Hwang
2026-07-01 19:31       ` Andrii Nakryiko
2026-07-02  6:23         ` Leon Hwang [this message]
2026-07-01 19:32   ` Andrii Nakryiko
2026-07-02  6:16     ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 5/9] bpftool: Generate skeleton " Leon Hwang
2026-07-01 16:49   ` Quentin Monnet
2026-07-01 19:32     ` Andrii Nakryiko
2026-07-02  6:24       ` Leon Hwang
2026-07-02 10:14         ` Quentin Monnet
2026-07-02 14:08           ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 6/9] selftests/bpf: Add tests to verify " Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 7/9] selftests/bpf: Test direct reading/writing read-only percpu_array map Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 8/9] selftests/bpf: Test verifier log for global percpu data Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 9/9] selftests/bpf: Verify bpf_iter " Leon Hwang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6ac505f6-818d-4abb-bdca-6b96f1ce30f2@linux.dev \
    --to=leon.hwang@linux.dev \
    --cc=andrii.nakryiko@gmail.com \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox