BPF List
 help / color / mirror / Atom feed
From: Leon Hwang <leon.hwang@linux.dev>
To: sashiko-reviews@lists.linux.dev
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data
Date: Tue, 30 Jun 2026 13:54:48 +0800	[thread overview]
Message-ID: <96cbecfc-bae6-46ff-90a7-5f4703e1c44c@linux.dev> (raw)
In-Reply-To: <20260629154055.6DD941F00A3A@smtp.kernel.org>

On 29/6/26 23:40, sashiko-bot@kernel.org wrote:
[...]
>> @@ -1983,7 +1989,7 @@ bpf_object__init_internal_map(struct bpf_object *obj, enum libbpf_map_type type,
>>  	}
>>  
>>  	def = &map->def;
>> -	def->type = BPF_MAP_TYPE_ARRAY;
>> +	def->type = is_percpu ? BPF_MAP_TYPE_PERCPU_ARRAY : BPF_MAP_TYPE_ARRAY;
>>  	def->key_size = sizeof(int);
>>  	def->value_size = data_sz;
> 
> [Severity: High]
> This is a pre-existing issue, but could this integer truncation lead to a
> buffer overflow?
> 
> If a user supplies a crafted ELF file with a section (like .data, .rodata,
> or .percpu) larger than 4GB, the 64-bit data_sz is implicitly truncated when
> assigned to the 32-bit def->value_size.
> 
> This results in a smaller mmap allocation based on the truncated value. Later
> in bpf_object__init_internal_map(), memcpy uses the original 64-bit data_sz:
> 
> 	if (data)
> 		memcpy(map->mmaped, data, data_sz);
> 
> Can this overflow the allocated buffer when parsing unverified BPF objects?
> 

Sounds reasonable.

The data_sz value comes from the ELF file and therefore cannot be
trusted, as the section size can be malformed.

For example, readelf -a shows the following for a normal ELF:

  [ 3] .data             PROGBITS         0000000000000000  00000040
       0000000000000004  0000000000000000  WA       0     0     4

The section size can be modified to:

  [ 3] .data             PROGBITS         0000000000000000  00000040
       0000000100000001  0000000000000000  WA       0     0     4

In this case, data_sz would be truncated to 1.

However, in practice, there won't be larger than 4GB section in bpf ELF
file. And, it is meaningless to hack libbpf to corrupt user space memory.

Of course, will post a separate patch for further discussion.

Thanks,
Leon


  reply	other threads:[~2026-06-30  5:55 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 15:23 [PATCH bpf-next v8 0/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 1/9] bpf: Drop duplicate blank lines in verifier Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 2/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:50   ` sashiko-bot
2026-06-30  5:50     ` Leon Hwang
2026-07-01 19:31   ` Andrii Nakryiko
2026-07-02  6:15     ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 3/9] libbpf: Probe percpu data feature Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data Leon Hwang
2026-06-29 15:40   ` sashiko-bot
2026-06-30  5:54     ` Leon Hwang [this message]
2026-07-01 19:31       ` Andrii Nakryiko
2026-07-02  6:23         ` Leon Hwang
2026-07-01 19:32   ` Andrii Nakryiko
2026-07-02  6:16     ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 5/9] bpftool: Generate skeleton " Leon Hwang
2026-07-01 16:49   ` Quentin Monnet
2026-07-01 19:32     ` Andrii Nakryiko
2026-07-02  6:24       ` Leon Hwang
2026-07-02 10:14         ` Quentin Monnet
2026-07-02 14:08           ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 6/9] selftests/bpf: Add tests to verify " Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 7/9] selftests/bpf: Test direct reading/writing read-only percpu_array map Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 8/9] selftests/bpf: Test verifier log for global percpu data Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 9/9] selftests/bpf: Verify bpf_iter " Leon Hwang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=96cbecfc-bae6-46ff-90a7-5f4703e1c44c@linux.dev \
    --to=leon.hwang@linux.dev \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox