[PATCH bpf v1 1/1] libbpf: Fix out-of-bound read in bpf_linker__add

BPF List
 help / color / mirror / Atom feed

* [PATCH bpf v1 1/1] libbpf: Fix out-of-bound read in bpf_linker__add_buf()
@ 2026-02-09 23:01 Amery Hung
  2026-02-10 13:50 ` Jiri Olsa
  2026-02-10 21:12 ` Andrii Nakryiko
  0 siblings, 2 replies; 3+ messages in thread
From: Amery Hung @ 2026-02-09 23:01 UTC (permalink / raw)
  To: bpf; +Cc: andrii, eddyz87, kernel-team

Fix a potential out-of-bound read in bpf_linker__add_buf() by advancing
the buffer pointer and reducing the remaining buffer size passed to
write() in each iteration. The bug is reported in [0].

[0]: https://github.com/libbpf/libbpf/issues/945

Fixes: 6d5e5e5d7ce1 ("libbpf: Extend linker API to support in-memory ELF files")
Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
 tools/lib/bpf/linker.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
index f4403e3cf994..78f92c39290a 100644
--- a/tools/lib/bpf/linker.c
+++ b/tools/lib/bpf/linker.c
@@ -581,7 +581,7 @@ int bpf_linker__add_buf(struct bpf_linker *linker, void *buf, size_t buf_sz,
 
 	written = 0;
 	while (written < buf_sz) {
-		ret = write(fd, buf, buf_sz);
+		ret = write(fd, buf + written, buf_sz - written);
 		if (ret < 0) {
 			ret = -errno;
 			pr_warn("failed to write '%s': %s\n", filename, errstr(ret));
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH bpf v1 1/1] libbpf: Fix out-of-bound read in bpf_linker__add_buf()
  2026-02-09 23:01 [PATCH bpf v1 1/1] libbpf: Fix out-of-bound read in bpf_linker__add_buf() Amery Hung
@ 2026-02-10 13:50 ` Jiri Olsa
  2026-02-10 21:12 ` Andrii Nakryiko
  1 sibling, 0 replies; 3+ messages in thread
From: Jiri Olsa @ 2026-02-10 13:50 UTC (permalink / raw)
  To: Amery Hung; +Cc: bpf, andrii, eddyz87, kernel-team

On Mon, Feb 09, 2026 at 03:01:34PM -0800, Amery Hung wrote:
> Fix a potential out-of-bound read in bpf_linker__add_buf() by advancing
> the buffer pointer and reducing the remaining buffer size passed to
> write() in each iteration. The bug is reported in [0].
> 
> [0]: https://github.com/libbpf/libbpf/issues/945
> 
> Fixes: 6d5e5e5d7ce1 ("libbpf: Extend linker API to support in-memory ELF files")
> Signed-off-by: Amery Hung <ameryhung@gmail.com>

Acked-by: Jiri Olsa <jolsa@kernel.org>

jirka


> ---
>  tools/lib/bpf/linker.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
> index f4403e3cf994..78f92c39290a 100644
> --- a/tools/lib/bpf/linker.c
> +++ b/tools/lib/bpf/linker.c
> @@ -581,7 +581,7 @@ int bpf_linker__add_buf(struct bpf_linker *linker, void *buf, size_t buf_sz,
>  
>  	written = 0;
>  	while (written < buf_sz) {
> -		ret = write(fd, buf, buf_sz);
> +		ret = write(fd, buf + written, buf_sz - written);
>  		if (ret < 0) {
>  			ret = -errno;
>  			pr_warn("failed to write '%s': %s\n", filename, errstr(ret));
> -- 
> 2.47.3
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH bpf v1 1/1] libbpf: Fix out-of-bound read in bpf_linker__add_buf()
  2026-02-09 23:01 [PATCH bpf v1 1/1] libbpf: Fix out-of-bound read in bpf_linker__add_buf() Amery Hung
  2026-02-10 13:50 ` Jiri Olsa
@ 2026-02-10 21:12 ` Andrii Nakryiko
  1 sibling, 0 replies; 3+ messages in thread
From: Andrii Nakryiko @ 2026-02-10 21:12 UTC (permalink / raw)
  To: Amery Hung; +Cc: bpf, andrii, eddyz87, kernel-team

On Mon, Feb 9, 2026 at 3:01 PM Amery Hung <ameryhung@gmail.com> wrote:
>
> Fix a potential out-of-bound read in bpf_linker__add_buf() by advancing
> the buffer pointer and reducing the remaining buffer size passed to
> write() in each iteration. The bug is reported in [0].
>
> [0]: https://github.com/libbpf/libbpf/issues/945
>
> Fixes: 6d5e5e5d7ce1 ("libbpf: Extend linker API to support in-memory ELF files")
> Signed-off-by: Amery Hung <ameryhung@gmail.com>
> ---
>  tools/lib/bpf/linker.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
> index f4403e3cf994..78f92c39290a 100644
> --- a/tools/lib/bpf/linker.c
> +++ b/tools/lib/bpf/linker.c
> @@ -581,7 +581,7 @@ int bpf_linker__add_buf(struct bpf_linker *linker, void *buf, size_t buf_sz,
>
>         written = 0;
>         while (written < buf_sz) {
> -               ret = write(fd, buf, buf_sz);
> +               ret = write(fd, buf + written, buf_sz - written);

The bug fix is correct, but commit description is off. There will be
no out-of-bounds reads, we'll just corrupt memfd contents and almost
certainly won't be able to parse result ELF file correctly. I've
adjusted the description as follows and pushed to bpf, thanks

    libbpf: Fix invalid write loop logic in bpf_linker__add_buf()

    Fix bpf_linker__add_buf()'s logic of copying data from memory buffer into
    memfd. In the event of short write not writing entire buf_sz bytes
into memfd
    file, we'll append bytes from the beginning of buf *again* (corrupting ELF
    file contents) instead of correctly appending the rest of not-yet-read buf
    contents.


>                 if (ret < 0) {
>                         ret = -errno;
>                         pr_warn("failed to write '%s': %s\n", filename, errstr(ret));
> --
> 2.47.3
>
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-02-10 21:12 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-09 23:01 [PATCH bpf v1 1/1] libbpf: Fix out-of-bound read in bpf_linker__add_buf() Amery Hung
2026-02-10 13:50 ` Jiri Olsa
2026-02-10 21:12 ` Andrii Nakryiko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox