Re: [PATCH bpf v1] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage

Next message: Dan Scally: "Re: [PATCH 4/7] media: rzv2h-ivc: Fix FM_STOP register write"
Previous message: Kaustabh Chakraborty: "Re: [PATCH v3 09/13] leds: flash: add support for Samsung S2M series PMIC flash LED device"
In reply to: Yonghong Song: "Re: [PATCH bpf v1] bpf: Fix OOB in bpf_obj_memcpy for cgroup storage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin KaFai Lau

Date: Fri Mar 13 2026 - 16:39:43 EST

On 3/11/26 10:25 PM, xulang wrote:

From: Lang Xu <xulang@xxxxxxxxxxxxx>

An out-of-bounds read occurs when copying element from a
BPF_MAP_TYPE_CGROUP_STORAGE map to another map type with the same
value_size that is not 8-byte aligned.

The issue happens when:
1. A CGROUP_STORAGE map is created with value_size not aligned to
8 bytes (e.g., 4 bytes)
2. A HASH map is created with the same value_size (e.g., 4 bytes)
3. Update element in 2 with data in 1

Please create a selftest for this.

pw-bot: cr

In the kernel, map elements are typically aligned to 8 bytes. However,
bpf_cgroup_storage_calculate_size() allocates storage based on the exact
value_size without alignment. When copy_map_value_long() is called, it
assumes all map values are 8-byte aligned and rounds up the copy size,
leading to a 4-byte out-of-bounds read from the cgroup storage buffer.

This patch fixes the issue by ensuring cgroup storage allocates 8-byte
aligned buffers, matching the assumptions in copy_map_value_long().

This is fixing the src side of the "copy_map_value_long(map, dst, src)".
The src could also be from a skb? What is the value_size that the verifier is checking for bpf_map_update_elem?