From: Leon Hwang <leon.hwang@linux.dev>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: sashiko-reviews@lists.linux.dev, bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data
Date: Thu, 2 Jul 2026 14:23:36 +0800 [thread overview]
Message-ID: <6ac505f6-818d-4abb-bdca-6b96f1ce30f2@linux.dev> (raw)
In-Reply-To: <CAEf4BzbBpDQOG-xUArBzZa_qZ08q=QViH-bbFmqwLNesGvJLUA@mail.gmail.com>
On 2/7/26 03:31, Andrii Nakryiko wrote:
> On Mon, Jun 29, 2026 at 10:55 PM Leon Hwang <leon.hwang@linux.dev> wrote:
>>
>> On 29/6/26 23:40, sashiko-bot@kernel.org wrote:
>> [...]
>>>> @@ -1983,7 +1989,7 @@ bpf_object__init_internal_map(struct bpf_object *obj, enum libbpf_map_type type,
>>>> }
>>>>
>>>> def = &map->def;
>>>> - def->type = BPF_MAP_TYPE_ARRAY;
>>>> + def->type = is_percpu ? BPF_MAP_TYPE_PERCPU_ARRAY : BPF_MAP_TYPE_ARRAY;
>>>> def->key_size = sizeof(int);
>>>> def->value_size = data_sz;
>>>
>>> [Severity: High]
>>> This is a pre-existing issue, but could this integer truncation lead to a
>>> buffer overflow?
>>>
>>> If a user supplies a crafted ELF file with a section (like .data, .rodata,
>>> or .percpu) larger than 4GB, the 64-bit data_sz is implicitly truncated when
>>> assigned to the 32-bit def->value_size.
>>>
>>> This results in a smaller mmap allocation based on the truncated value. Later
>>> in bpf_object__init_internal_map(), memcpy uses the original 64-bit data_sz:
>>>
>>> if (data)
>>> memcpy(map->mmaped, data, data_sz);
>>>
>>> Can this overflow the allocated buffer when parsing unverified BPF objects?
>>>
>>
>> Sounds reasonable.
>>
>> The data_sz value comes from the ELF file and therefore cannot be
>> trusted, as the section size can be malformed.
>>
>> For example, readelf -a shows the following for a normal ELF:
>>
>> [ 3] .data PROGBITS 0000000000000000 00000040
>> 0000000000000004 0000000000000000 WA 0 0 4
>>
>> The section size can be modified to:
>>
>> [ 3] .data PROGBITS 0000000000000000 00000040
>> 0000000100000001 0000000000000000 WA 0 0 4
>>
>> In this case, data_sz would be truncated to 1.
>>
>> However, in practice, there won't be larger than 4GB section in bpf ELF
>> file. And, it is meaningless to hack libbpf to corrupt user space memory.
>>
>> Of course, will post a separate patch for further discussion.
>
> No, don't. All this hardening of libbpf is nonsensical. libbpf is not
> meant to protect against corrupted ELF. If you don't trust the source
> of ELF, you should definitely not attempt to open BPF object and load
> it into kernel to run with root-like capabilities.
>
Got it.
I didn't post the separate patch.
Thanks,
Leon
next prev parent reply other threads:[~2026-07-02 6:23 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 15:23 [PATCH bpf-next v8 0/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 1/9] bpf: Drop duplicate blank lines in verifier Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 2/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:50 ` sashiko-bot
2026-06-30 5:50 ` Leon Hwang
2026-07-01 19:31 ` Andrii Nakryiko
2026-07-02 6:15 ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 3/9] libbpf: Probe percpu data feature Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data Leon Hwang
2026-06-29 15:40 ` sashiko-bot
2026-06-30 5:54 ` Leon Hwang
2026-07-01 19:31 ` Andrii Nakryiko
2026-07-02 6:23 ` Leon Hwang [this message]
2026-07-01 19:32 ` Andrii Nakryiko
2026-07-02 6:16 ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 5/9] bpftool: Generate skeleton " Leon Hwang
2026-07-01 16:49 ` Quentin Monnet
2026-07-01 19:32 ` Andrii Nakryiko
2026-07-02 6:24 ` Leon Hwang
2026-07-02 10:14 ` Quentin Monnet
2026-07-02 14:08 ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 6/9] selftests/bpf: Add tests to verify " Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 7/9] selftests/bpf: Test direct reading/writing read-only percpu_array map Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 8/9] selftests/bpf: Test verifier log for global percpu data Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 9/9] selftests/bpf: Verify bpf_iter " Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6ac505f6-818d-4abb-bdca-6b96f1ce30f2@linux.dev \
--to=leon.hwang@linux.dev \
--cc=andrii.nakryiko@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox