From: Yonghong Song <yonghong.song@linux.dev>
To: Dawei Feng <dawei.feng@seu.edu.cn>, martin.lau@linux.dev
Cc: emil@etsalapatis.com, ast@kernel.org, daniel@iogearbox.net,
andrii@kernel.org, eddyz87@gmail.com, memxor@gmail.com,
song@kernel.org, jolsa@kernel.org, kees@kernel.org,
joel.granados@kernel.org, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
jianhao.xu@seu.edu.cn, Zilin Guan <zilin@seu.edu.cn>
Subject: Re: [PATCH v3 1/3] bpf: NUL-terminate replaced sysctl value
Date: Wed, 3 Jun 2026 07:47:33 -0700 [thread overview]
Message-ID: <555331d6-59e5-4925-a409-2bf4af273799@linux.dev> (raw)
In-Reply-To: <20260603105317.944304-2-dawei.feng@seu.edu.cn>
On 6/3/26 3:53 AM, Dawei Feng wrote:
> When writing to sysctls, proc_sys_call_handler() guarantees that the
> buffer passed to proc handlers is NUL-terminated. If
> bpf_sysctl_set_new_value() replaces the pending sysctl value, it can
> hand a replacement buffer directly to proc handlers. However, the
> helper currently copies only buf_len bytes into that buffer without
> appending a NUL terminator, leaving downstream parsers vulnerable to
> out-of-bounds access.
>
> Fix this by appending a '\0' after the replaced value to restore the
> expected sysctl semantics. Since the helper already rejects buf_len
> greater than PAGE_SIZE - 1, there is always room for the extra byte.
>
> Reproduced in a QEMU x86_64 guest booted with KASAN while exercising
> the sysctl replacement path with a cgroup/sysctl BPF program. The
> reproducer targets `/proc/sys/net/core/flow_limit_cpu_bitmap`, fills
> the original user write buffer with non-zero bytes, and overrides the
> sysctl value so the replacement buffer lacks a terminating NUL. Under
> that setup, the pre-fix kernel reported:
>
> BUG: KASAN: slab-out-of-bounds in strnchrnul+0x72/0x90
> Read of size 1 at addr ffff88800de57000 by task repro_patch3/66
> CPU: 0 UID: 0 PID: 66 Comm: repro_patch3 Not tainted 7.1.0-rc3-00269-g8370ca1f87cc #6 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x68/0xa0
> print_report+0xcb/0x5e0
> ? __virt_addr_valid+0x21d/0x3f0
> ? strnchrnul+0x72/0x90
> ? strnchrnul+0x72/0x90
> kasan_report+0xca/0x100
> ? strnchrnul+0x72/0x90
> strnchrnul+0x72/0x90
> bitmap_parse+0x37/0x2e0
> flow_limit_cpu_sysctl+0xc6/0x840
> ? __pfx_flow_limit_cpu_sysctl+0x10/0x10
> ? __kvmalloc_node_noprof+0x5ba/0x870
> proc_sys_call_handler+0x31d/0x480
> ? __pfx_proc_sys_call_handler+0x10/0x10
> ? selinux_file_permission+0x39f/0x500
> ? lock_is_held_type+0x9e/0x120
> vfs_write+0x98e/0x1000
> ...
> </TASK>
> The buggy address is located 0 bytes to the right of
> allocated 4096-byte region [ffff88800de56000, ffff88800de57000)
> With this fix applied, rerunning the same sysctl-targeted path yields
> no corresponding KASAN reports.
>
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
> ---
> kernel/bpf/cgroup.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index 876f6a81a9b6..2c7f72d3fb11 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
> @@ -2342,6 +2342,7 @@ BPF_CALL_3(bpf_sysctl_set_new_value, struct bpf_sysctl_kern *, ctx,
> return -E2BIG;
>
> memcpy(ctx->new_val, buf, buf_len);
> + ((char *)ctx->new_val)[buf_len] = '\0';
Okay, I looked at your v2 comment and checked the bpf_sysctl_set_new_value again.
You above implementation is correct.
Acked-by: Yonghong Song <yonghong.song@linux.dev>
> ctx->new_len = buf_len;
> ctx->new_updated = 1;
>
next prev parent reply other threads:[~2026-06-03 14:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 10:53 [PATCH v3 0/3] bpf: fix sysctl new-value handling in __cgroup_bpf_run_filter_sysctl Dawei Feng
2026-06-03 10:53 ` [PATCH v3 1/3] bpf: NUL-terminate replaced sysctl value Dawei Feng
2026-06-03 11:36 ` bot+bpf-ci
2026-06-03 14:37 ` Yonghong Song
2026-06-03 23:23 ` Alexei Starovoitov
2026-06-04 19:35 ` Yonghong Song
2026-06-03 14:47 ` Yonghong Song [this message]
2026-06-03 10:53 ` [PATCH v3 2/3] bpf: use kvfree() for replaced sysctl write buffer Dawei Feng
2026-06-03 10:53 ` [PATCH v3 3/3] bpf: Restore sysctl new-value from 1 to 0 Dawei Feng
2026-06-03 11:19 ` Jiayuan Chen
2026-06-03 11:36 ` bot+bpf-ci
2026-06-03 13:32 ` Mykyta Yatsenko
2026-06-05 2:55 ` Xu Kuohai
2026-06-05 23:00 ` [PATCH v3 0/3] bpf: fix sysctl new-value handling in __cgroup_bpf_run_filter_sysctl patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555331d6-59e5-4925-a409-2bf4af273799@linux.dev \
--to=yonghong.song@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dawei.feng@seu.edu.cn \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=jianhao.xu@seu.edu.cn \
--cc=joel.granados@kernel.org \
--cc=jolsa@kernel.org \
--cc=kees@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=song@kernel.org \
--cc=zilin@seu.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox