* [PATCH] libbpf: Add length checks for path parameters before memory allocation
@ 2026-06-29 12:25 Masoud Aghasi
2026-06-29 13:13 ` bot+bpf-ci
2026-06-29 18:23 ` Alexei Starovoitov
0 siblings, 2 replies; 5+ messages in thread
From: Masoud Aghasi @ 2026-06-29 12:25 UTC (permalink / raw)
To: bpf
Cc: andrii, eddyz87, ast, daniel, memxor, martin.lau, song,
yonghong.song, jolsa, emil, Masoud Aghasi
Several libbpf API functions such as bpf_object__open_file() and
bpf_program__pin() allocate memory based on user-provided paths without
first validating input length.
This can result in out-of-memory errors or different error codes
(ENAMETOOLONG, ENOMEM) being returned.
This patch adds missing path length checks to ensure all affected APIs
return a consistent error code (ENAMETOOLONG) for invalid path lengths,
preventing potential memory allocation failures.
Additionally, adds some missing NULL pointer checks to prevent
potential segmentation faults.
Best regards,
Signed-off-by: Masoud Aghasi <maghasi@disroot.org>
---
tools/lib/bpf/libbpf.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 7162146280a8..bb3f1dd0663e 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -8536,6 +8536,9 @@ bpf_object__open_file(const char *path, const struct bpf_object_open_opts *opts)
if (!path)
return libbpf_err_ptr(-EINVAL);
+ if (strlen(path) >= PATH_MAX)
+ return libbpf_err_ptr(-ENAMETOOLONG);
+
return libbpf_ptr(bpf_object_open(path, NULL, 0, NULL, opts));
}
@@ -9191,11 +9194,17 @@ int bpf_program__pin(struct bpf_program *prog, const char *path)
{
int err;
+ if (!prog || !path)
+ return libbpf_err(-EINVAL);
+
if (prog->fd < 0) {
pr_warn("prog '%s': can't pin program that wasn't loaded\n", prog->name);
return libbpf_err(-EINVAL);
}
+ if (strlen(path) >= PATH_MAX)
+ return libbpf_err(-ENAMETOOLONG);
+
err = make_parent_dir(path);
if (err)
return libbpf_err(err);
@@ -9218,11 +9227,17 @@ int bpf_program__unpin(struct bpf_program *prog, const char *path)
{
int err;
+ if (!prog || !path)
+ return libbpf_err(-EINVAL);
+
if (prog->fd < 0) {
pr_warn("prog '%s': can't unpin program that wasn't loaded\n", prog->name);
return libbpf_err(-EINVAL);
}
+ if (strlen(path) >= PATH_MAX)
+ return libbpf_err(-ENAMETOOLONG);
+
err = check_path(path);
if (err)
return libbpf_err(err);
@@ -9269,6 +9284,9 @@ int bpf_map__pin(struct bpf_map *map, const char *path)
return libbpf_err(-EEXIST);
}
+ if (strlen(path) >= PATH_MAX)
+ return libbpf_err(-ENAMETOOLONG);
+
map->pin_path = strdup(path);
if (!map->pin_path) {
err = -errno;
@@ -9319,6 +9337,8 @@ int bpf_map__unpin(struct bpf_map *map, const char *path)
pr_warn("no path to unpin map '%s' from\n",
bpf_map__name(map));
return libbpf_err(-EINVAL);
+ } else if (strlen(path) >= PATH_MAX) {
+ return libbpf_err(-ENAMETOOLONG);
}
err = check_path(path);
@@ -9339,7 +9359,13 @@ int bpf_map__set_pin_path(struct bpf_map *map, const char *path)
{
char *new = NULL;
+ if (!map)
+ return libbpf_err(-EINVAL);
+
if (path) {
+ if (strlen(path) >= PATH_MAX)
+ return libbpf_err(-ENAMETOOLONG);
+
new = strdup(path);
if (!new)
return libbpf_err(-errno);
@@ -11432,6 +11458,12 @@ int bpf_link__pin(struct bpf_link *link, const char *path)
{
int err;
+ if (!link || !path)
+ return libbpf_err(-EINVAL);
+
+ if (strlen(path) >= PATH_MAX)
+ return libbpf_err(-ENAMETOOLONG);
+
if (link->pin_path)
return libbpf_err(-EBUSY);
err = make_parent_dir(path);
--
2.47.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] libbpf: Add length checks for path parameters before memory allocation
2026-06-29 12:25 [PATCH] libbpf: Add length checks for path parameters before memory allocation Masoud Aghasi
@ 2026-06-29 13:13 ` bot+bpf-ci
2026-06-29 18:23 ` Alexei Starovoitov
1 sibling, 0 replies; 5+ messages in thread
From: bot+bpf-ci @ 2026-06-29 13:13 UTC (permalink / raw)
To: maghasi, bpf
Cc: andrii, eddyz87, ast, daniel, memxor, martin.lau, song,
yonghong.song, jolsa, emil, maghasi, ast, andrii, daniel,
martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai
[-- Attachment #1: Type: text/plain, Size: 1342 bytes --]
> commit db9140ef75b49207c16db30f458eed63f232d989
> Author: Masoud Aghasi <maghasi@disroot.org>
>
> libbpf: Add length checks for path parameters before memory allocation
>
> Several libbpf API functions such as bpf_object__open_file() and
> bpf_program__pin() allocate memory based on user-provided paths without
> first validating input length.
>
> This can result in out-of-memory errors or different error codes
> (ENAMETOOLONG, ENOMEM) being returned.
>
> This patch adds missing path length checks to ensure all affected APIs
> return a consistent error code (ENAMETOOLONG) for invalid path lengths,
> preventing potential memory allocation failures.
>
> Additionally, adds some missing NULL pointer checks to prevent
> potential segmentation faults.
>
> Best regards,
>
> Signed-off-by: Masoud Aghasi <maghasi@disroot.org>
This isn't a bug, but could the "Best regards," closing be dropped from the
commit body? Kernel commit messages conventionally end with the rationale
before the Signed-off-by trailer, without email-style salutations.
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/28373171289
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] libbpf: Add length checks for path parameters before memory allocation
2026-06-29 12:25 [PATCH] libbpf: Add length checks for path parameters before memory allocation Masoud Aghasi
2026-06-29 13:13 ` bot+bpf-ci
@ 2026-06-29 18:23 ` Alexei Starovoitov
2026-06-30 6:46 ` Masoud Aghasi
1 sibling, 1 reply; 5+ messages in thread
From: Alexei Starovoitov @ 2026-06-29 18:23 UTC (permalink / raw)
To: Masoud Aghasi, bpf
Cc: andrii, eddyz87, ast, daniel, memxor, martin.lau, song,
yonghong.song, jolsa, emil
On Mon Jun 29, 2026 at 5:25 AM PDT, Masoud Aghasi wrote:
> Several libbpf API functions such as bpf_object__open_file() and
> bpf_program__pin() allocate memory based on user-provided paths without
> first validating input length.
>
> This can result in out-of-memory errors or different error codes
> (ENAMETOOLONG, ENOMEM) being returned.
>
> This patch adds missing path length checks to ensure all affected APIs
> return a consistent error code (ENAMETOOLONG) for invalid path lengths,
> preventing potential memory allocation failures.
>
> Additionally, adds some missing NULL pointer checks to prevent
> potential segmentation faults.
>
> Best regards,
>
> Signed-off-by: Masoud Aghasi <maghasi@disroot.org>
> ---
> tools/lib/bpf/libbpf.c | 32 ++++++++++++++++++++++++++++++++
> 1 file changed, 32 insertions(+)
>
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 7162146280a8..bb3f1dd0663e 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -8536,6 +8536,9 @@ bpf_object__open_file(const char *path, const struct bpf_object_open_opts *opts)
> if (!path)
> return libbpf_err_ptr(-EINVAL);
>
> + if (strlen(path) >= PATH_MAX)
> + return libbpf_err_ptr(-ENAMETOOLONG);
> +
The code is fine as-is. We don't add defensive checks.
pw-bot: cr
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] libbpf: Add length checks for path parameters before memory allocation
2026-06-29 18:23 ` Alexei Starovoitov
@ 2026-06-30 6:46 ` Masoud Aghasi
2026-06-30 18:12 ` Alexei Starovoitov
0 siblings, 1 reply; 5+ messages in thread
From: Masoud Aghasi @ 2026-06-30 6:46 UTC (permalink / raw)
To: Alexei Starovoitov, bpf
Cc: andrii, eddyz87, ast, daniel, memxor, martin.lau, song,
yonghong.song, jolsa, emil
On 29/06/2026 19:23, Alexei Starovoitov wrote:
>
> The code is fine as-is. We don't add defensive checks.
>
> pw-bot: cr
Thanks for the review.
I'm just starting to contribute to libbpf, so I'd like to make sure
I understand the design philosophy correctly.
Is the following understanding correct?
Since the caller and libbpf share the same trust boundary
(same process, same VAS), libbpf generally assumes that API arguments
come from a trusted caller. If an application accepts input from an
untrusted source, it's the application's responsibility to validate
that input before passing it to libbpf.
I'm trying to better understand where libbpf draws the boundary for
input validation when looking for future contribution opportunities.
Thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] libbpf: Add length checks for path parameters before memory allocation
2026-06-30 6:46 ` Masoud Aghasi
@ 2026-06-30 18:12 ` Alexei Starovoitov
0 siblings, 0 replies; 5+ messages in thread
From: Alexei Starovoitov @ 2026-06-30 18:12 UTC (permalink / raw)
To: Masoud Aghasi, bpf
Cc: andrii, eddyz87, ast, daniel, memxor, martin.lau, song,
yonghong.song, jolsa, emil
On Mon Jun 29, 2026 at 11:46 PM PDT, Masoud Aghasi wrote:
> On 29/06/2026 19:23, Alexei Starovoitov wrote:
>>
>> The code is fine as-is. We don't add defensive checks.
>>
>> pw-bot: cr
>
> Thanks for the review.
>
> I'm just starting to contribute to libbpf, so I'd like to make sure
> I understand the design philosophy correctly.
>
> Is the following understanding correct?
>
> Since the caller and libbpf share the same trust boundary
> (same process, same VAS), libbpf generally assumes that API arguments
> come from a trusted caller. If an application accepts input from an
> untrusted source, it's the application's responsibility to validate
> that input before passing it to libbpf.
No. It's nobody's responsiblity to validate anything.
Users of libbpf should use API correctly. That's it.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-06-30 18:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 12:25 [PATCH] libbpf: Add length checks for path parameters before memory allocation Masoud Aghasi
2026-06-29 13:13 ` bot+bpf-ci
2026-06-29 18:23 ` Alexei Starovoitov
2026-06-30 6:46 ` Masoud Aghasi
2026-06-30 18:12 ` Alexei Starovoitov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox