lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f6e9710a-a5bf-4af9-8c0d-d81d28c3040c@kernel.org>
Date: Thu, 4 Sep 2025 15:45:30 -0700
From: Song Liu <song@...nel.org>
To: Arnaud Lecomte <contact@...aud-lcm.com>, alexei.starovoitov@...il.com,
 yonghong.song@...ux.dev
Cc: andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
 daniel@...earbox.net, eddyz87@...il.com, haoluo@...gle.com,
 john.fastabend@...il.com, jolsa@...nel.org, kpsingh@...nel.org,
 linux-kernel@...r.kernel.org, martin.lau@...ux.dev, sdf@...ichev.me,
 syzbot+c9b724fbb41cf2538b7b@...kaller.appspotmail.com,
 syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH bpf-next v7 3/3] bpf: fix stackmap overflow check in
 __bpf_get_stackid()


On 9/3/25 4:43 PM, Arnaud Lecomte wrote:
> Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()
> when copying stack trace data. The issue occurs when the perf trace
>   contains more stack entries than the stack map bucket can hold,
>   leading to an out-of-bounds write in the bucket's data array.
>
> Changes in v2:
>   - Fixed max_depth names across get stack id
>
> Changes in v4:
>   - Removed unnecessary empty line in __bpf_get_stackid
>
> Changs in v6:
>   - Added back trace_len computation in __bpf_get_stackid
>
> Link to v6: https://lore.kernel.org/all/20250903135348.97884-1-contact@arnaud-lcm.com/
>
> Reported-by: syzbot+c9b724fbb41cf2538b7b@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
> Fixes: ee2a098851bf ("bpf: Adjust BPF stack helper functions to accommodate skip > 0")
> Signed-off-by: Arnaud Lecomte <contact@...aud-lcm.com>
> Acked-by: Yonghong Song <yonghong.song@...ux.dev>

For future patches, please keep the "Changes in vX.." at the end of

your commit log and after a "---". IOW, something like


Acked-by: Yonghong Song <yonghong.song@...ux.dev>

---

changes in v2:

...

---

kernel/bpf/stackmap.c | 8 ++++++++


In this way, the "changes in vXX" part will be removed by git-am.

> ---
>   kernel/bpf/stackmap.c | 8 ++++++++
>   1 file changed, 8 insertions(+)
>
> diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
> index 9f3ae426ddc3..29e05c9ff1bd 100644
> --- a/kernel/bpf/stackmap.c
> +++ b/kernel/bpf/stackmap.c
> @@ -369,6 +369,7 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
>   {
>   	struct perf_event *event = ctx->event;
>   	struct perf_callchain_entry *trace;
> +	u32 elem_size, max_depth;
>   	bool kernel, user;
>   	__u64 nr_kernel;
>   	int ret;
> @@ -390,11 +391,15 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
>   		return -EFAULT;
>   
>   	nr_kernel = count_kernel_ip(trace);
> +	elem_size = stack_map_data_size(map);
>   
>   	if (kernel) {
>   		__u64 nr = trace->nr;
>   
>   		trace->nr = nr_kernel;

this trace->nr = is useless.

> +		max_depth =
> +			stack_map_calculate_max_depth(map->value_size, elem_size, flags);
> +		trace->nr = min_t(u32, nr_kernel, max_depth);
>   		ret = __bpf_get_stackid(map, trace, flags);
>   
>   		/* restore nr */
> @@ -407,6 +412,9 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
>   			return -EFAULT;
>   
>   		flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
> +		max_depth =
> +			stack_map_calculate_max_depth(map->value_size, elem_size, flags);
> +		trace->nr = min_t(u32, trace->nr, max_depth);
>   		ret = __bpf_get_stackid(map, trace, flags);

I missed this part earlier. Here we need to restore trace->nr, just like 
we did

in the "if (kernel)" branch.

Thanks,

Song

>   	}
>   	return ret;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ