Re: [PATCH bpf 1/2] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage

Next message: Miguel Ojeda: "Re: [PATCH 6.19 000/220] 6.19.10-rc1 review"
Previous message: Miguel Ojeda: "Re: [PATCH 6.19 000/220] 6.19.10-rc1 review"
Next in thread: xulang: "Re: [PATCH bpf 1/2] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin KaFai Lau

Date: Tue Mar 24 2026 - 21:37:29 EST

On 3/17/26 3:02 AM, xulang wrote:

From: Lang Xu <xulang@xxxxxxxxxxxxx>

An out-of-bounds read occurs when copying element from a
BPF_MAP_TYPE_CGROUP_STORAGE map to another map type with the same
value_size that is not 8-byte aligned.

The issue happens when:
1. A CGROUP_STORAGE map is created with value_size not aligned to
8 bytes (e.g., 4 bytes)
2. A HASH map is created with the same value_size (e.g., 4 bytes)
3. Update element in 2 with data in 1

In the kernel, map elements are typically aligned to 8 bytes. However,
bpf_cgroup_storage_calculate_size() allocates storage based on the exact
value_size without alignment. When copy_map_value_long() is called, it
assumes all map values are 8-byte aligned and rounds up the copy size,
leading to a 4-byte out-of-bounds read from the cgroup storage buffer.

This patch fixes the issue by ensuring cgroup storage allocates 8-byte
aligned buffers, matching the assumptions in copy_map_value_long().

Comments from v1 are not addressed. Please address or disagree with them before reposting.

The cover letter did not reach the bpf list and patchwork — something is wrong with the reply-to. In general, avoid reply-to for multiple patches. This makes the thread unmanageable. The revision number is also missing in the subject.

Please read submitting-patches.rst before posting again, in particular "The canonical patch format" and "In-Reply-To" sections. Test it with your inbox first.

pw-bot: cr