Commit 23f852da authored by Arnaud Lecomte's avatar Arnaud Lecomte Committed by Andrii Nakryiko
Browse files

bpf: Fix stackmap overflow check in __bpf_get_stackid() 



Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()
when copying stack trace data. The issue occurs when the perf trace
 contains more stack entries than the stack map bucket can hold,
 leading to an out-of-bounds write in the bucket's data array.

Fixes: ee2a0988 ("bpf: Adjust BPF stack helper functions to accommodate skip > 0")
Reported-by: default avatar <syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com>
Signed-off-by: default avatarArnaud Lecomte <contact@arnaud-lcm.com>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Acked-by: default avatarYonghong Song <yonghong.song@linux.dev>
Acked-by: default avatarSong Liu <song@kernel.org>
Link: https://lore.kernel.org/bpf/20251025192941.1500-1-contact@arnaud-lcm.com

Closes: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
parent e17d62fe

kernel/bpf/stackmap.c

+8 −7
Original line number Diff line number Diff line
@@ -251,8 +251,8 @@ static long __bpf_get_stackid(struct bpf_map *map, 
{

	struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);

	struct stack_map_bucket *bucket, *new_bucket, *old_bucket;

	u32 hash, id, trace_nr, trace_len, i, max_depth;

	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;

	u32 hash, id, trace_nr, trace_len, i;

	bool user = flags & BPF_F_USER_STACK;

	u64 *ips;

	bool hash_matches;
@@ -261,7 +261,8 @@ static long __bpf_get_stackid(struct bpf_map *map, 
		/* skipping more than usable stack trace */

		return -EFAULT;



	trace_nr = trace->nr - skip;

	max_depth = stack_map_calculate_max_depth(map->value_size, stack_map_data_size(map), flags);

	trace_nr = min_t(u32, trace->nr - skip, max_depth - skip);

	trace_len = trace_nr * sizeof(u64);

	ips = trace->ip + skip;

	hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
@@ -390,15 +391,11 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx, 
		return -EFAULT;



	nr_kernel = count_kernel_ip(trace);

	__u64 nr = trace->nr; /* save original */



	if (kernel) {

		__u64 nr = trace->nr;



		trace->nr = nr_kernel;

		ret = __bpf_get_stackid(map, trace, flags);



		/* restore nr */

		trace->nr = nr;

	} else { /* user */

		u64 skip = flags & BPF_F_SKIP_FIELD_MASK;
@@ -409,6 +406,10 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx, 
		flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;

		ret = __bpf_get_stackid(map, trace, flags);

	}



	/* restore nr */

	trace->nr = nr;



	return ret;

}