[PATCH bpf v3 0/2] bpf: Fix OOB in pcpu_init_value

Next message: xulang: "[PATCH bpf v3 2/2] selftests/bpf: Add test for cgroup storage OOB read"
Previous message: xulang: "[PATCH bpf v3 1/2] bpf: Fix OOB in pcpu_init_value"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: xulang

Date: Thu Apr 02 2026 - 02:05:38 EST

From: Lang Xu <xulang@xxxxxxxxxxxxx>

Fix OOB read when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE
map to another pcpu map with the same value_size that is not rounded
up to 8 bytes, and add a test case to reproduce the issue.

The root cause is that pcpu_init_value() uses copy_map_value_long() which
rounds up the copy size to 8 bytes, but CGROUP_STORAGE map values are not
8-byte aligned (e.g., 4-byte). This causes a 4-byte OOB read when
the copy is performed.

Lang Xu (2):
bpf: Fix OOB in pcpu_init_value
selftests/bpf: Add test for cgroup storage OOB read

Signed-off-by: Lang Xu <xulang@xxxxxxxxxxxxx>
---
Changes since v2:
- Fix patch series format issues
- Instead of aligning CGROUP_STORAGE allocation,
fix it by replacing copy_map_value_long with copy_map_value in
pcpu_init_value

Changes since v1:
- Add self-test program to reproduce the issue

base-commit: 7aaa8047eafd ("Linux 7.0-rc6")

kernel/bpf/hashtab.c | 2 +-
.../selftests/bpf/prog_tests/cgroup_storage.c | 46 +++++++++++++++++-
.../selftests/bpf/progs/cgroup_storage.c | 43 +++++++++++++++++++
3 files changed, 90 insertions(+), 1 deletion(-)

--
2.51.0