From: Leon Hwang <leon.hwang@linux.dev>
To: sashiko-reviews@lists.linux.dev
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data
Date: Tue, 30 Jun 2026 13:54:48 +0800 [thread overview]
Message-ID: <96cbecfc-bae6-46ff-90a7-5f4703e1c44c@linux.dev> (raw)
In-Reply-To: <20260629154055.6DD941F00A3A@smtp.kernel.org>
On 29/6/26 23:40, sashiko-bot@kernel.org wrote:
[...]
>> @@ -1983,7 +1989,7 @@ bpf_object__init_internal_map(struct bpf_object *obj, enum libbpf_map_type type,
>> }
>>
>> def = &map->def;
>> - def->type = BPF_MAP_TYPE_ARRAY;
>> + def->type = is_percpu ? BPF_MAP_TYPE_PERCPU_ARRAY : BPF_MAP_TYPE_ARRAY;
>> def->key_size = sizeof(int);
>> def->value_size = data_sz;
>
> [Severity: High]
> This is a pre-existing issue, but could this integer truncation lead to a
> buffer overflow?
>
> If a user supplies a crafted ELF file with a section (like .data, .rodata,
> or .percpu) larger than 4GB, the 64-bit data_sz is implicitly truncated when
> assigned to the 32-bit def->value_size.
>
> This results in a smaller mmap allocation based on the truncated value. Later
> in bpf_object__init_internal_map(), memcpy uses the original 64-bit data_sz:
>
> if (data)
> memcpy(map->mmaped, data, data_sz);
>
> Can this overflow the allocated buffer when parsing unverified BPF objects?
>
Sounds reasonable.
The data_sz value comes from the ELF file and therefore cannot be
trusted, as the section size can be malformed.
For example, readelf -a shows the following for a normal ELF:
[ 3] .data PROGBITS 0000000000000000 00000040
0000000000000004 0000000000000000 WA 0 0 4
The section size can be modified to:
[ 3] .data PROGBITS 0000000000000000 00000040
0000000100000001 0000000000000000 WA 0 0 4
In this case, data_sz would be truncated to 1.
However, in practice, there won't be larger than 4GB section in bpf ELF
file. And, it is meaningless to hack libbpf to corrupt user space memory.
Of course, will post a separate patch for further discussion.
Thanks,
Leon
next prev parent reply other threads:[~2026-06-30 5:55 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 15:23 [PATCH bpf-next v8 0/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 1/9] bpf: Drop duplicate blank lines in verifier Leon Hwang
2026-06-29 15:23 ` [PATCH bpf-next v8 2/9] bpf: Introduce global percpu data Leon Hwang
2026-06-29 15:50 ` sashiko-bot
2026-06-30 5:50 ` Leon Hwang
2026-07-01 19:31 ` Andrii Nakryiko
2026-07-02 6:15 ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 3/9] libbpf: Probe percpu data feature Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 4/9] libbpf: Add support for global percpu data Leon Hwang
2026-06-29 15:40 ` sashiko-bot
2026-06-30 5:54 ` Leon Hwang [this message]
2026-07-01 19:31 ` Andrii Nakryiko
2026-07-02 6:23 ` Leon Hwang
2026-07-01 19:32 ` Andrii Nakryiko
2026-07-02 6:16 ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 5/9] bpftool: Generate skeleton " Leon Hwang
2026-07-01 16:49 ` Quentin Monnet
2026-07-01 19:32 ` Andrii Nakryiko
2026-07-02 6:24 ` Leon Hwang
2026-07-02 10:14 ` Quentin Monnet
2026-07-02 14:08 ` Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 6/9] selftests/bpf: Add tests to verify " Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 7/9] selftests/bpf: Test direct reading/writing read-only percpu_array map Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 8/9] selftests/bpf: Test verifier log for global percpu data Leon Hwang
2026-06-29 15:24 ` [PATCH bpf-next v8 9/9] selftests/bpf: Verify bpf_iter " Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=96cbecfc-bae6-46ff-90a7-5f4703e1c44c@linux.dev \
--to=leon.hwang@linux.dev \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox