From: Song Liu <song@kernel.org>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Arnaud Lecomte <contact@arnaud-lcm.com>,
Yonghong Song <yonghong.song@linux.dev>,
Martin KaFai Lau <martin.lau@linux.dev>,
Andrii Nakryiko <andrii@kernel.org>,
Alexei Starovoitov <ast@kernel.org>, bpf <bpf@vger.kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Eduard <eddyz87@gmail.com>, Hao Luo <haoluo@google.com>,
John Fastabend <john.fastabend@gmail.com>,
Jiri Olsa <jolsa@kernel.org>, KP Singh <kpsingh@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>,
syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: [PATCH bpf-next v5 2/2] bpf: fix stackmap overflow check in __bpf_get_stackid()
Date: Fri, 29 Aug 2025 11:49:52 -0700 [thread overview]
Message-ID: <CAPhsuW5P4sOHmMCmVTZw2vfuz7Rny-xkhuPkRBitfoATQkm=eA@mail.gmail.com> (raw)
In-Reply-To: <CAADnVQ+6bV3h3i-A1LHbEk=nY_PMx69BiogWjf5GtGaLxWSQVg@mail.gmail.com>
On Fri, Aug 29, 2025 at 10:29 AM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
[...]
> >
> > static long __bpf_get_stackid(struct bpf_map *map,
> > - struct perf_callchain_entry *trace, u64 flags)
> > + struct perf_callchain_entry *trace, u64 flags, u32 max_depth)
> > {
> > struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
> > struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
> > @@ -263,6 +263,8 @@ static long __bpf_get_stackid(struct bpf_map *map,
> >
> > trace_nr = trace->nr - skip;
> > trace_len = trace_nr * sizeof(u64);
> > + trace_nr = min(trace_nr, max_depth - skip);
> > +
>
> The patch might have fixed this particular syzbot repro
> with OOB in stackmap-with-buildid case,
> but above two line looks wrong.
> trace_len is computed before being capped by max_depth.
> So non-buildid case below is using
> memcpy(new_bucket->data, ips, trace_len);
>
> so OOB is still there?
+1 for this observation.
We are calling __bpf_get_stackid() from two functions: bpf_get_stackid
and bpf_get_stackid_pe. The check against max_depth is only needed
from bpf_get_stackid_pe, so it is better to just check here.
I have got the following on top of patch 1/2. This makes more sense to
me.
PS: The following also includes some clean up in __bpf_get_stack.
I include those because it also uses stack_map_calculate_max_depth.
Does this look better?
Thanks,
Song
diff --git c/kernel/bpf/stackmap.c w/kernel/bpf/stackmap.c
index 796cc105eacb..08554fb146e1 100644
--- c/kernel/bpf/stackmap.c
+++ w/kernel/bpf/stackmap.c
@@ -262,7 +262,7 @@ static long __bpf_get_stackid(struct bpf_map *map,
return -EFAULT;
trace_nr = trace->nr - skip;
- trace_len = trace_nr * sizeof(u64);
+
ips = trace->ip + skip;
hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
id = hash & (smap->n_buckets - 1);
@@ -297,6 +297,7 @@ static long __bpf_get_stackid(struct bpf_map *map,
return -EEXIST;
}
} else {
+ trace_len = trace_nr * sizeof(u64);
if (hash_matches && bucket->nr == trace_nr &&
memcmp(bucket->data, ips, trace_len) == 0)
return id;
@@ -322,19 +323,17 @@ static long __bpf_get_stackid(struct bpf_map *map,
BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
u64, flags)
{
- u32 max_depth = map->value_size / stack_map_data_size(map);
- u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+ u32 elem_size = stack_map_data_size(map);
bool user = flags & BPF_F_USER_STACK;
struct perf_callchain_entry *trace;
bool kernel = !user;
+ u32 max_depth;
if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
return -EINVAL;
- max_depth += skip;
- if (max_depth > sysctl_perf_event_max_stack)
- max_depth = sysctl_perf_event_max_stack;
+ max_depth = stack_map_calculate_max_depth(map->value_size,
elem_size, flags);
trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
false, false);
@@ -375,6 +374,7 @@ BPF_CALL_3(bpf_get_stackid_pe, struct
bpf_perf_event_data_kern *, ctx,
bool kernel, user;
__u64 nr_kernel;
int ret;
+ u32 elem_size, max_depth;
/* perf_sample_data doesn't have callchain, use bpf_get_stackid */
if (!(event->attr.sample_type & PERF_SAMPLE_CALLCHAIN))
@@ -393,11 +393,12 @@ BPF_CALL_3(bpf_get_stackid_pe, struct
bpf_perf_event_data_kern *, ctx,
return -EFAULT;
nr_kernel = count_kernel_ip(trace);
-
+ elem_size = stack_map_data_size(map);
if (kernel) {
__u64 nr = trace->nr;
- trace->nr = nr_kernel;
+ max_depth =
stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+ trace->nr = min_t(u32, nr_kernel, max_depth);
ret = __bpf_get_stackid(map, trace, flags);
/* restore nr */
@@ -410,6 +411,8 @@ BPF_CALL_3(bpf_get_stackid_pe, struct
bpf_perf_event_data_kern *, ctx,
return -EFAULT;
flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
+ max_depth =
stack_map_calculate_max_depth(map->value_size, elem_size, flags);
+ trace->nr = min_t(u32, trace->nr, max_depth);
ret = __bpf_get_stackid(map, trace, flags);
}
return ret;
@@ -428,7 +431,7 @@ static long __bpf_get_stack(struct pt_regs *regs,
struct task_struct *task,
struct perf_callchain_entry *trace_in,
void *buf, u32 size, u64 flags, bool may_fault)
{
- u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
+ u32 trace_nr, copy_len, elem_size, max_depth;
bool user_build_id = flags & BPF_F_USER_BUILD_ID;
bool crosstask = task && task != current;
u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
@@ -465,13 +468,15 @@ static long __bpf_get_stack(struct pt_regs
*regs, struct task_struct *task,
if (may_fault)
rcu_read_lock(); /* need RCU for perf's callchain below */
- if (trace_in)
+ if (trace_in) {
trace = trace_in;
- else if (kernel && task)
+ trace->nr = min_t(u32, trace->nr, max_depth);
+ } else if (kernel && task) {
trace = get_callchain_entry_for_task(task, max_depth);
- else
+ } else {
trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
crosstask, false);
+ }
if (unlikely(!trace) || trace->nr < skip) {
if (may_fault)
@@ -479,9 +484,7 @@ static long __bpf_get_stack(struct pt_regs *regs,
struct task_struct *task,
goto err_fault;
}
- num_elem = size / elem_size;
trace_nr = trace->nr - skip;
- trace_nr = (trace_nr <= num_elem) ? trace_nr : num_elem;
copy_len = trace_nr * elem_size;
ips = trace->ip + skip;
next prev parent reply other threads:[~2025-08-29 18:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-26 21:22 [PATCH bpf-next v5 1/2] bpf: refactor max_depth computation in bpf_get_stack() Arnaud Lecomte
2025-08-26 21:23 ` [PATCH bpf-next v5 2/2] bpf: fix stackmap overflow check in __bpf_get_stackid() Arnaud Lecomte
2025-08-29 17:29 ` Alexei Starovoitov
2025-08-29 18:49 ` Song Liu [this message]
2025-08-30 0:28 ` Alexei Starovoitov
2025-08-30 17:13 ` Lecomte, Arnaud
2025-09-01 1:10 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPhsuW5P4sOHmMCmVTZw2vfuz7Rny-xkhuPkRBitfoATQkm=eA@mail.gmail.com' \
--to=song@kernel.org \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=contact@arnaud-lcm.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).