Re: [PATCH bpf v1] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage

Next message: Steven Rostedt: "Re: [PATCH V2] tracing: Revert &quot;tracing: Remove pid in task_rename tracing output&quot;"
Previous message: Mathieu Desnoyers: "Re: [PATCH] lib: fix compare_delta parameter order in percpu_counter_tree"
Next in thread: Martin KaFai Lau: "Re: [PATCH bpf v1] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: xulang

Date: Mon Mar 16 2026 - 09:56:49 EST

From: Lang Xu <xulang@xxxxxxxxxxxxx>

> Please create a selftest for this.

Going to do that. To stably reproduce this bug, I need the KASAN
config enabled, how do I ensure it's enabled during a selftest cycle,
by adding the line below to the 'config'? not quite sure.

--- a/tools/testing/selftests/bpf/config
+++ b/tools/testing/selftests/bpf/config
@@ -46,6 +46,7 @@ CONFIG_IPV6_GRE=y
CONFIG_IPV6_SEG6_BPF=y
CONFIG_IPV6_SIT=y
CONFIG_IPV6_TUNNEL=y
+CONFIG_KASAN=y
CONFIG_KEYS=y
CONFIG_LIRC=y
CONFIG_LWTUNNEL=y

> This is fixing the src side of the "copy_map_value_long(map, dst, src)".
> The src could also be from a skb? What is the value_size that the
> verifier is checking for bpf_map_update_elem?

The value_size checked by verifier is exactly the size with which
the map is defined, i.e., not the size rounded up to 8-byte by kernel

As for bpf_map_update_elem->..->copy_map_value_long, 'src' couldn't be from
'skb' which mismatches the expected ptr-type of 'bpf_map_update_elem',
I've tried codes like these:

1. bpf_map_update_elem(&lru_map, &key, skb, BPF_ANY);
2. bpf_map_update_elem(&lru_map, &key, skb->sk, BPF_ANY); // null checked
3. bpf_map_update_elem(&lru_map, &key, skb->flow_keys, BPF_ANY);

All these ptrs mismatch the expected ptr-type, which can be detected by the verifier.
The verifier complains with msg like 'R3 type=ctx expected=fp, pkt, pkt_meta, map_key,
map_value, mem, ringbuf_mem, buf, trusted_ptr'