From: "Emil Tsalapatis" <emil@etsalapatis.com>
To: "Weiming Shi" <bestswngs@gmail.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>
Cc: "Martin KaFai Lau" <martin.lau@linux.dev>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"John Fastabend" <john.fastabend@gmail.com>,
"KP Singh" <kpsingh@kernel.org>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Hao Luo" <haoluo@google.com>, "Jiri Olsa" <jolsa@kernel.org>,
<bpf@vger.kernel.org>, "Xiang Mei" <xmei5@asu.edu>
Subject: Re: [PATCH bpf] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
Date: Fri, 03 Apr 2026 18:13:41 -0400 [thread overview]
Message-ID: <DHJV66NESCIC.230BWL0DNXZ18@etsalapatis.com> (raw)
In-Reply-To: <20260403035111.4031084-2-bestswngs@gmail.com>
On Thu Apr 2, 2026 at 11:51 PM EDT, Weiming Shi wrote:
> CO-RE accessor strings are colon-separated indices that describe a path
> from a root BTF type to a target field, e.g. "0:1:2" walks through
> nested struct members. bpf_core_parse_spec() parses each component with
> sscanf("%d"), so negative values like -1 are silently accepted. The
> subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the
> upper bound and always pass for negative values. When -1 reaches
> btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an
> out-of-bounds read far past the members array.
>
> A crafted BPF program with a negative CO-RE accessor on any struct that
> exists in vmlinux BTF (e.g. task_struct) crashes the kernel during
> BPF_PROG_LOAD:
>
> BUG: unable to handle page fault for address: ffffed11818b6626
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 7f74e067 P4D 7f74e067 PUD 0
> Oops: Oops: 0000 [#1] SMP KASAN NOPTI
> CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)
> Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:348)
> RAX: 00000000ffffffff RBX: ffff88800c5b3128 RCX: 0000000000000000
> Call Trace:
> <TASK>
> bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1319)
> bpf_core_apply (kernel/bpf/btf.c:9507)
> bpf_check (kernel/bpf/verifier.c:26031)
> bpf_prog_load (kernel/bpf/syscall.c:3089)
> __sys_bpf (kernel/bpf/syscall.c:6228)
> __x64_sys_bpf (kernel/bpf/syscall.c:6339)
> do_syscall_64 (arch/x86/entry/syscall_64.c:94)
> </TASK>
>
> CO-RE accessor indices are inherently non-negative (field index, array
> index, or enumerator index), so reject them after parsing.
>
> Fixes: ddc7c3042614 ("libbpf: implement BPF CO-RE offset relocation algorithm")
> Reported-by: Xiang Mei <xmei5@asu.edu>
> igned-off-by: Weiming Shi <bestswngs@gmail.com>
As mentioned by the bot, there is a missing S here.
For the patch itself:
1) Please add a selftest for this. The offending CO:RE program should
work.
2) Judging from your description, the code below just band-aids the problem on
the libbpf side. This sounds like a bounds checking issue directly in
the kernel.
> ---
> tools/lib/bpf/relo_core.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
> index 6eea5edba58a..0ccc8f548cba 100644
> --- a/tools/lib/bpf/relo_core.c
> +++ b/tools/lib/bpf/relo_core.c
> @@ -292,6 +292,8 @@ int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
> ++spec_str;
> if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
> return -EINVAL;
> + if (access_idx < 0)
> + return -EINVAL;
> if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
> return -E2BIG;
> spec_str += parsed_len;
> --
> 2.43.0
prev parent reply other threads:[~2026-04-03 22:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-03 3:51 [PATCH bpf] bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() Weiming Shi
2026-04-03 4:41 ` bot+bpf-ci
2026-04-03 22:13 ` Emil Tsalapatis [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DHJV66NESCIC.230BWL0DNXZ18@etsalapatis.com \
--to=emil@etsalapatis.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bestswngs@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=xmei5@asu.edu \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox