[PATCH bpf 0/2] libbpf: Reject out-of-range linker relocation offsets

Next message: HyeongJun An: "[PATCH bpf 1/2] libbpf: Reject out-of-range linker relocation offsets"
Previous message: Bryam Vargas via B4 Relay: "[PATCH 0/2] (no cover subject)"
Next in thread: HyeongJun An: "[PATCH bpf 1/2] libbpf: Reject out-of-range linker relocation offsets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: HyeongJun An

Date: Sun Jun 14 2026 - 01:39:55 EST

The libbpf static linker validates relocation type, symbol index and
instruction alignment in linker_sanity_check_elf_relos(), but does not
check that the relocation offset is inside the relocated section. A
malformed BPF object processed by the static linker (e.g. via
"bpftool gen object") can therefore carry an out-of-range r_offset that
linker_append_elf_relos() then uses to index the section data, reading
and writing past the buffer.

The normal object-loading path already rejects such offsets (libbpf.c,
rel->r_offset >= scn_data->d_size); the static linker path is the
missing sibling. Patch 1 adds the same bound. Patch 2 adds a selftest
that builds a tiny object with an out-of-range relocation offset and
checks that the linker now rejects it, with a valid relocation as a
positive control.

Reproduced with ASAN: before patch 1 the out-of-range relocation is
accepted (and triggers a heap-buffer-overflow); after, it is rejected
with -EINVAL.

HyeongJun An (2):
libbpf: Reject out-of-range linker relocation offsets
selftests/bpf: Test linker rejects out-of-range relocation offset

tools/lib/bpf/linker.c | 6 +
.../selftests/bpf/prog_tests/libbpf_linker.c | 212 ++++++++++++++++++
2 files changed, 218 insertions(+)
create mode 100644 tools/testing/selftests/bpf/prog_tests/libbpf_linker.c

--
2.43.0