| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <468c97464c9b7d16dcbcd192ab8616cb9d55fc0f3948c4df57dd7504a277889e@mail.kernel.org>
Date: Mon, 19 Jan 2026 18:45:36 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: piliu@...hat.com,kexec@...ts.infradead.org
Cc: piliu@...hat.com,davem@...emloft.net,ast@...nel.org,daniel@...earbox.net,john.fastabend@...il.com,andrii@...nel.org,martin.lau@...ux.dev,eddyz87@...il.com,song@...nel.org,yonghong.song@...ux.dev,jeremy.linton@....com,catalin.marinas@....com,will@...nel.org,ardb@...nel.org,horms@...nel.org,kraxel@...hat.com,vkuznets@...hat.com,prudo@...hat.com,vmalik@...hat.com,kernel@...rr.cc,bhe@...hat.com,dyoung@...hat.com,akpm@...ux-foundation.org,bpf@...r.kernel.org,systemd-devel@...ts.freedesktop.org,linux-kernel@...r.kernel.org,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCHv6 10/13] kexec_file: Integrate bpf light skeleton to load image with bpf-prog
> diff --git a/kernel/kexec_bpf_loader.c b/kernel/kexec_bpf_loader.c
> index 5ad67672dead..9f1c5aede42e 100644
> --- a/kernel/kexec_bpf_loader.c
> +++ b/kernel/kexec_bpf_loader.c
[ ... ]
> +static void *get_symbol_from_elf(const char *elf_data, size_t elf_size,
> + const char *symbol_name, unsigned int *symbol_size)
> +{
> + Elf_Ehdr *ehdr = (Elf_Ehdr *)elf_data;
> + Elf_Shdr *shdr, *dst_shdr;
> + const Elf_Sym *sym;
> + void *symbol_data;
> +
> + if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0) {
> + pr_err("Not a valid ELF file\n");
> + return NULL;
> + }
> +
> + sym = elf_find_symbol(ehdr, symbol_name);
> + if (!sym)
> + return NULL;
> + shdr = (struct elf_shdr *)(elf_data + ehdr->e_shoff);
> + dst_shdr = &shdr[sym->st_shndx];
> + symbol_data = (void *)(elf_data + dst_shdr->sh_offset + sym->st_value);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The elf_size parameter is declared but never used in this function. The
pointer calculations at ehdr->e_shoff, shdr[sym->st_shndx], and
dst_shdr->sh_offset + sym->st_value could all access memory beyond the
ELF buffer if the ELF data is malformed. Should there be bounds checking
against elf_size to prevent out-of-bounds reads?
> + *symbol_size = sym->st_size;
> +
> + return symbol_data;
> +}
> +
> /* Load a ELF */
> static int arm_bpf_prog(char *bpf_elf, unsigned long sz)
> {
> + opts_data = get_symbol_from_elf(bpf_elf, sz, "opts_data", &opts_data_sz);
> + opts_insn = get_symbol_from_elf(bpf_elf, sz, "opts_insn", &opts_insn_sz);
> + if (!opts_data || !opts_insn)
> + return -1;
> + /*
> + * When light skeleton generates opts_data[] and opts_insn[], it appends a
> + * NULL terminator at the end of string
> + */
> + opts_data_sz = opts_data_sz - 1;
> + opts_insn_sz = opts_insn_sz - 1;
^^^^^^^^^^^^^^^^^^
If sym->st_size is 0 for either opts_data or opts_insn symbols in the ELF,
then opts_data_sz or opts_insn_sz would be 0 after get_symbol_from_elf()
returns. Subtracting 1 from an unsigned int with value 0 would cause an
integer underflow to UINT_MAX. This large value would then be passed to
bpf_load_and_run() via the opts structure. Would it make sense to check
that opts_data_sz and opts_insn_sz are non-zero before the subtraction?
> +
> + pe_parser = kexec_pe_parser_bpf__open_and_load();
> + if (!pe_parser)
> + return -1;
> + kexec_pe_parser_bpf__attach(pe_parser);
> +
> + return 0;
> }
[ ... ]
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21147860407
Powered by blists - more mailing lists