Re: [PATCH v4] libbpf: harden parse_vma_segs() path parsing
From: Andrii Nakryiko
Date: Thu May 28 2026 - 17:27:45 EST
On Fri, May 22, 2026 at 1:14 PM Michael Bommarito
<michael.bommarito@xxxxxxxxx> wrote:
>
> parse_vma_segs() in tools/lib/bpf/usdt.c parses /proc/<pid>/maps
> with two widthless scansets, "%s" into mode[16] and "%[^\n]"
> into line[4096]. A VMA name in maps is not limited to that local
> buffer; a deeply nested backing path can produce a maps record long
> enough to overflow the stack buffer.
>
> Bound both scansets to the declared buffer sizes ("%15s" for mode[16]
> and "%4095[^\n]" for line[4096]) and drain any residue past line[4094]
> with "%*[^\n]" before the trailing "\n". Without the drain, the residue
> of an over-long record would stay in the stream and break the next
> "%zx-%zx" parse, so the loop would exit early and silently skip later
> maps records.
>
> Also stop using sscanf(..., "%s") to peel the /proc/<pid>/root prefix
> from lib_path. Parse the pid and prefix length with "%n", check for the
> following slash, and copy the remainder with libbpf_strlcpy(). That
> removes a second unbounded stack write and preserves paths containing
> spaces.
>
> Fixes: 74cc6311cec9 ("libbpf: Add USDT notes parsing and resolution logic")
> Cc: stable@xxxxxxxxxxxxxxx
dropped cc: stable, libbpf is packaged through github repo and
in-kernel libbpf usage doesn't use USDTs for anything, there is
nothing to backport
applied to bpf-next, thanks!
> Reviewed-by: Emil Tsalapatis <emil@xxxxxxxxxxxxxxx>
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
> ---
> v4:
> - Carry Emil's Reviewed-by.
> - Simplify the /proc/<pid>/root prefix handling with sscanf() %n,
> removing the unreachable snprintf() length check.
> - Initialize and check the %n output before using it, so partial
> literal matches after the pid cannot use an unassigned offset.
> - Add a short comment for the %n return-value rule.
> - Declare the maps-line buffer as line[4096] to match the %4095
> scanset width.
> - Reword the maps-line comment without seq_file implementation detail.
>
> v3:
> - Correct Fixes tag to the initial USDT implementation commit,
> per BPF CI review after adding second site.
>
[...]