[PATCH bpf v5 0/2] bpf: Fix OOB in pcpu_init_value and add a test

Next message: xulang: "[PATCH bpf v5 1/2] bpf: Fix OOB in pcpu_init_value"
Previous message: xulang: "[PATCH bpf v5 2/2] selftests/bpf: Add test for cgroup storage OOB read"
Next in thread: xulang: "[PATCH bpf v5 2/2] selftests/bpf: Add test for cgroup storage OOB read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: xulang

Date: Thu Apr 02 2026 - 03:55:35 EST

From: Lang Xu <xulang@xxxxxxxxxxxxx>

Fix OOB read when copying element from a BPF_MAP_TYPE_CGROUP_STORAGE
map to another pcpu map with the same value_size that is not rounded
up to 8 bytes, and add a test case to reproduce the issue.

The root cause is that pcpu_init_value() uses copy_map_value_long() which
rounds up the copy size to 8 bytes, but CGROUP_STORAGE map values are not
8-byte aligned (e.g., 4-byte). This causes a 4-byte OOB read when
the copy is performed.

Lang Xu (2):
bpf: Fix OOB in pcpu_init_value
selftests/bpf: Add test for cgroup storage OOB read

Signed-off-by: Lang Xu <xulang@xxxxxxxxxxxxx>
---
Changes since v4:
- Make the summary phrase of the cover different from patch 1
- Fix patch series format issues

Changes since v3:
- nothing changed, just resend the patch series manually.
There is something wrong with my email server(Message-ID overrided).

Changes since v2:
- Fix patch series format issues
- Instead of aligning CGROUP_STORAGE allocation,
fix it by replacing copy_map_value_long with copy_map_value in
pcpu_init_value

Changes since v1:
- Add self-test program to reproduce the issue

base-commit: 7aaa8047eafd ("Linux 7.0-rc6")

kernel/bpf/hashtab.c | 2 +-
tools/testing/selftests/bpf/prog_tests/cgroup_storage.c | 42 +++++++++++++++++++++
tools/testing/selftests/bpf/progs/cgroup_storage.c | 43 ++++++++++++++++++++++
3 files changed, 86 insertions(+), 1 deletion(-)

--
2.51.0