public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH v3 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes()
@ 2026-02-24  3:15 Kohei Enju
  2026-02-24  3:21 ` Kohei Enju
  2026-02-24 10:58 ` Toke Høiland-Jørgensen
  0 siblings, 2 replies; 3+ messages in thread
From: Kohei Enju @ 2026-02-24  3:15 UTC (permalink / raw)
  To: netdev, bpf
  Cc: Alexei Starovoitov, Daniel Borkmann, David S. Miller,
	Jakub Kicinski, Jesper Dangaard Brouer, John Fastabend,
	Stanislav Fomichev, Andrii Nakryiko, Martin KaFai Lau,
	Eduard Zingerman, Song Liu, Yonghong Song, KP Singh, Hao Luo,
	Jiri Olsa, Jussi Maki, Toke Høiland-Jørgensen,
	kohei.enju, Kohei Enju, syzbot+10cc7f13760b31bd2e61

get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds.

Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write.

Add a max parameter to get_upper_ifindexes() to avoid the issue.
When there are too many upper devices, return -EOVERFLOW and abort the
redirect.

To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.

Reported-by: syzbot+10cc7f13760b31bd2e61@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/698c4ce3.050a0220.340abe.000b.GAE@google.com/T/
Fixes: aeea1b86f936 ("bpf, devmap: Exclude XDP broadcast to master device")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
---
Changes:
  v3:
    - return -EOVERFLOW when there are too many upper devices
  v2: https://lore.kernel.org/bpf/20260220193039.7129-1-kohei@enjuk.jp/
    - fix formatting, accounting that max-line-length is 100
  v1: https://lore.kernel.org/bpf/20260216201428.65641-1-kohei@enjuk.jp/
---
 kernel/bpf/devmap.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 2625601de76e..d8e926a2d0da 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -588,18 +588,22 @@ static inline bool is_ifindex_excluded(int *excluded, int num_excluded, int ifin
 }
 
 /* Get ifindex of each upper device. 'indexes' must be able to hold at
- * least MAX_NEST_DEV elements.
- * Returns the number of ifindexes added.
+ * least 'max' elements.
+ * Returns the number of ifindexes added, or -EOVERFLOW if there are too 
+ * many upper devices.
  */
-static int get_upper_ifindexes(struct net_device *dev, int *indexes)
+static int get_upper_ifindexes(struct net_device *dev, int *indexes, int max)
 {
 	struct net_device *upper;
 	struct list_head *iter;
 	int n = 0;
 
 	netdev_for_each_upper_dev_rcu(dev, upper, iter) {
+		if (n >= max)
+			return -EOVERFLOW;
 		indexes[n++] = upper->ifindex;
 	}
+
 	return n;
 }
 
@@ -615,7 +619,11 @@ int dev_map_enqueue_multi(struct xdp_frame *xdpf, struct net_device *dev_rx,
 	int err;
 
 	if (exclude_ingress) {
-		num_excluded = get_upper_ifindexes(dev_rx, excluded_devices);
+		num_excluded = get_upper_ifindexes(dev_rx, excluded_devices,
+						   ARRAY_SIZE(excluded_devices) - 1);
+		if (num_excluded < 0)
+			return num_excluded;
+
 		excluded_devices[num_excluded++] = dev_rx->ifindex;
 	}
 
@@ -733,7 +741,11 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
 	int err;
 
 	if (exclude_ingress) {
-		num_excluded = get_upper_ifindexes(dev, excluded_devices);
+		num_excluded = get_upper_ifindexes(dev, excluded_devices,
+						   ARRAY_SIZE(excluded_devices) - 1);
+		if (num_excluded < 0)
+			return num_excluded;
+
 		excluded_devices[num_excluded++] = dev->ifindex;
 	}
 
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v3 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes()
  2026-02-24  3:15 [PATCH v3 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes() Kohei Enju
@ 2026-02-24  3:21 ` Kohei Enju
  2026-02-24 10:58 ` Toke Høiland-Jørgensen
  1 sibling, 0 replies; 3+ messages in thread
From: Kohei Enju @ 2026-02-24  3:21 UTC (permalink / raw)
  To: kohei
  Cc: andrii, ast, bpf, daniel, davem, eddyz87, haoluo, hawk, joamaki,
	john.fastabend, jolsa, kohei.enju, kpsingh, kuba, martin.lau,
	netdev, sdf, song, syzbot+10cc7f13760b31bd2e61, toke,
	yonghong.song

On Tue, 24 Feb 2026 03:15:37 +0000, Kohei Enju wrote:

[...]
> diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
> index 2625601de76e..d8e926a2d0da 100644
> --- a/kernel/bpf/devmap.c
> +++ b/kernel/bpf/devmap.c
> @@ -588,18 +588,22 @@ static inline bool is_ifindex_excluded(int *excluded, int num_excluded, int ifin
>  }
>  
>  /* Get ifindex of each upper device. 'indexes' must be able to hold at
> - * least MAX_NEST_DEV elements.
> - * Returns the number of ifindexes added.
> + * least 'max' elements.
> + * Returns the number of ifindexes added, or -EOVERFLOW if there are too 

Ugh, I missed trailing space. Will send v4 after 24 hours.

[...]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH v3 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes()
  2026-02-24  3:15 [PATCH v3 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes() Kohei Enju
  2026-02-24  3:21 ` Kohei Enju
@ 2026-02-24 10:58 ` Toke Høiland-Jørgensen
  1 sibling, 0 replies; 3+ messages in thread
From: Toke Høiland-Jørgensen @ 2026-02-24 10:58 UTC (permalink / raw)
  To: Kohei Enju, netdev, bpf
  Cc: Alexei Starovoitov, Daniel Borkmann, David S. Miller,
	Jakub Kicinski, Jesper Dangaard Brouer, John Fastabend,
	Stanislav Fomichev, Andrii Nakryiko, Martin KaFai Lau,
	Eduard Zingerman, Song Liu, Yonghong Song, KP Singh, Hao Luo,
	Jiri Olsa, Jussi Maki, kohei.enju, Kohei Enju,
	syzbot+10cc7f13760b31bd2e61

Kohei Enju <kohei@enjuk.jp> writes:

> get_upper_ifindexes() iterates over all upper devices and writes their
> indices into an array without checking bounds.
>
> Also the callers assume that the max number of upper devices is
> MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
> but that assumption is not correct and the number of upper devices could
> be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
> stack-out-of-bounds write.
>
> Add a max parameter to get_upper_ifindexes() to avoid the issue.
> When there are too many upper devices, return -EOVERFLOW and abort the
> redirect.
>
> To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
> an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
> Then send a packet to the device to trigger the XDP redirect path.
>
> Reported-by: syzbot+10cc7f13760b31bd2e61@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/698c4ce3.050a0220.340abe.000b.GAE@google.com/T/
> Fixes: aeea1b86f936 ("bpf, devmap: Exclude XDP broadcast to master device")
> Signed-off-by: Kohei Enju <kohei@enjuk.jp>

Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-02-24 10:58 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-24  3:15 [PATCH v3 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes() Kohei Enju
2026-02-24  3:21 ` Kohei Enju
2026-02-24 10:58 ` Toke Høiland-Jørgensen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox