superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/tools/lib/bpf
History
Weiming Shi 1c22483a2c bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() 
CO-RE accessor strings are colon-separated indices that describe a path
from a root BTF type to a target field, e.g. "0:1:2" walks through
nested struct members. bpf_core_parse_spec() parses each component with
sscanf("%d"), so negative values like -1 are silently accepted.  The
subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the
upper bound and always pass for negative values because C integer
promotion converts the __u16 btf_vlen result to int, making the
comparison (int)(-1) >= (int)(N) false for any positive N.

When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,
producing an out-of-bounds read far past the members array.  A crafted
BPF program with a negative CO-RE accessor on any struct that exists in
vmlinux BTF (e.g. task_struct) crashes the kernel deterministically
during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y
(default on major distributions).  The bug is reachable with CAP_BPF:

 BUG: unable to handle page fault for address: ffffed11818b6626
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 Oops: Oops: 0000 [#1] SMP KASAN NOPTI
 CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)
 RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)
 RAX: 00000000ffffffff
 Call Trace:
  <TASK>
  bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)
  bpf_core_apply (kernel/bpf/btf.c:9507)
  check_core_relo (kernel/bpf/verifier.c:19475)
  bpf_check (kernel/bpf/verifier.c:26031)
  bpf_prog_load (kernel/bpf/syscall.c:3089)
  __sys_bpf (kernel/bpf/syscall.c:6228)
  </TASK>

CO-RE accessor indices are inherently non-negative (struct member index,
array element index, or enumerator index), so reject them immediately
after parsing.

Fixes: ddc7c30426 ("libbpf: implement BPF CO-RE offset relocation algorithm")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260404161221.961828-2-bestswngs@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
 		2026-04-07 08:27:55 -07:00
..
.gitignore tools build: Correct bpf fixdep dependencies 2024-08-05 12:19:48 -03:00
Build libbpf: move libbpf_errstr() into libbpf_utils.c 2025-10-01 15:27:25 -07:00
Makefile tools: Remove redundant quiet setup 2025-02-18 16:27:43 -03:00
bpf.c libbpf: add fsession support 2026-01-24 18:49:36 -08:00
bpf.h libbpf: Add BPF_F_CPU and BPF_F_ALL_CPUS flags support for percpu maps 2026-01-06 20:48:32 -08:00
bpf_core_read.h bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ 2025-05-05 14:20:28 -07:00
bpf_endian.h
bpf_gen_internal.h libbpf: Embed and verify the metadata hash in the loader 2025-09-22 19:17:55 -07:00
bpf_helpers.h libbpf: Remove extern declaration of bpf_stream_vprintk() 2026-02-18 14:58:47 -08:00
bpf_prog_linfo.c
bpf_tracing.h libbpf: Fix powerpc's stack register definition in bpf_tracing.h 2025-10-23 11:25:16 -07:00
btf.c libbpf: BTF validation can use layout for unknown kinds 2026-03-26 13:53:56 -07:00
btf.h libbpf: Add layout encoding support 2026-03-26 13:53:56 -07:00
btf_dump.c libbpf: Fix OOB read in btf_dump_get_bitfield_value 2026-01-09 15:54:31 -08:00
btf_iter.c libbpf,bpf: Share BTF relocate-related code with kernel 2024-06-21 14:45:07 -07:00
btf_relocate.c libbpf: Fix incorrect traversal end type ID when marking BTF_IS_EMBEDDED 2025-01-16 15:34:18 -08:00
elf.c libbpf: move libbpf_errstr() into libbpf_utils.c 2025-10-01 15:27:25 -07:00
features.c libbpf: Support sanitization of BTF layout for older kernels 2026-03-26 13:53:56 -07:00
gen_loader.c libbpf: move libbpf_errstr() into libbpf_utils.c 2025-10-01 15:27:25 -07:00
hashmap.c
hashmap.h libbpf: Fix possible compiler warnings in hashmap 2024-10-11 12:36:59 -07:00
libbpf.c libbpf: Clarify raw-address single kprobe attach behavior 2026-04-02 13:23:19 -07:00
libbpf.h libbpf: Clarify raw-address single kprobe attach behavior 2026-04-02 13:23:19 -07:00
libbpf.map libbpf: Fix BTF handling in bpf_program__clone() 2026-04-02 13:02:46 -07:00
libbpf.pc.template
libbpf_common.h libbpf: Fix potential uninitialized tail padding with LIBBPF_OPTS_RESET 2023-11-09 19:07:51 -08:00
libbpf_internal.h libbpf: Support sanitization of BTF layout for older kernels 2026-03-26 13:53:56 -07:00
libbpf_legacy.h libbpf: Fix some typos in comments 2024-09-09 16:05:40 -07:00
libbpf_probes.c libbpf: Support sanitization of BTF layout for older kernels 2026-03-26 13:53:56 -07:00
libbpf_utils.c libbpf: Fix undefined behavior in {get,put}_unaligned_be32() 2025-10-06 09:16:29 -07:00
libbpf_version.h libbpf: Start v1.8 development cycle 2026-03-16 14:15:15 -07:00
linker.c libbpf: Fix invalid write loop logic in bpf_linker__add_buf() 2026-02-13 14:14:27 -08:00
netlink.c bpftool: Fix truncated netlink dumps 2026-02-17 16:54:03 -08:00
nlattr.c libbpf: Use proper errno value in nlattr 2025-05-12 15:22:54 -07:00
nlattr.h
relo_core.c bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() 2026-04-07 08:27:55 -07:00
relo_core.h
ringbuf.c libbpf: move libbpf_errstr() into libbpf_utils.c 2025-10-01 15:27:25 -07:00
skel_internal.h libbpf: Update light skeleton for signing 2025-09-22 19:17:25 -07:00
strset.c
strset.h
usdt.bpf.h libbpf: Fix USDT SIB argument handling causing unrecognized register error 2025-08-27 15:44:25 -07:00
usdt.c libbpf: Add support to detect nop,nop5 instructions combo for usdt probe 2026-03-03 08:39:22 -08:00
zip.c libbpf: Remove unneeded semicolon 2024-10-03 17:47:35 -07:00
zip.h