kernel/bpf/stackmap.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()
when copying stack trace data. The issue occurs when the perf trace
contains more stack entries than the stack map bucket can hold,
leading to an out-of-bounds write in the bucket's data array.
For build_id mode, we use sizeof(struct bpf_stack_build_id)
to determine capacity, and for normal mode we use sizeof(u64).
Reported-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
Tested-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
---
kernel/bpf/stackmap.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 3615c06b7dfa..0f9f6e4b6fe9 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -230,7 +230,7 @@ static long __bpf_get_stackid(struct bpf_map *map,
struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
- u32 hash, id, trace_nr, trace_len, i;
+ u32 hash, id, trace_nr, trace_len, i, max_depth;
bool user = flags & BPF_F_USER_STACK;
u64 *ips;
bool hash_matches;
@@ -241,6 +241,16 @@ static long __bpf_get_stackid(struct bpf_map *map,
trace_nr = trace->nr - skip;
trace_len = trace_nr * sizeof(u64);
+
+ /* Clamp the trace to max allowed depth */
+ if (stack_map_use_build_id(map))
+ max_depth = smap->map.value_size / sizeof(struct bpf_stack_build_id);
+ else
+ max_depth = smap->map.value_size / sizeof(u64);
+
+ if (trace_nr > max_depth)
+ trace_nr = max_depth;
+
ips = trace->ip + skip;
hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
id = hash & (smap->n_buckets - 1);
--
2.43.0On 7/29/25 2:19 AM, Arnaud Lecomte wrote: > Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() > when copying stack trace data. The issue occurs when the perf trace > contains more stack entries than the stack map bucket can hold, > leading to an out-of-bounds write in the bucket's data array. > For build_id mode, we use sizeof(struct bpf_stack_build_id) > to determine capacity, and for normal mode we use sizeof(u64). > > Reported-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b > Tested-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com > Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> > --- > kernel/bpf/stackmap.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c > index 3615c06b7dfa..0f9f6e4b6fe9 100644 > --- a/kernel/bpf/stackmap.c > +++ b/kernel/bpf/stackmap.c > @@ -230,7 +230,7 @@ static long __bpf_get_stackid(struct bpf_map *map, > struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map); > struct stack_map_bucket *bucket, *new_bucket, *old_bucket; > u32 skip = flags & BPF_F_SKIP_FIELD_MASK; > - u32 hash, id, trace_nr, trace_len, i; > + u32 hash, id, trace_nr, trace_len, i, max_depth; > bool user = flags & BPF_F_USER_STACK; > u64 *ips; > bool hash_matches; > @@ -241,6 +241,16 @@ static long __bpf_get_stackid(struct bpf_map *map, > > trace_nr = trace->nr - skip; > trace_len = trace_nr * sizeof(u64); > + > + /* Clamp the trace to max allowed depth */ > + if (stack_map_use_build_id(map)) > + max_depth = smap->map.value_size / sizeof(struct bpf_stack_build_id); > + else > + max_depth = smap->map.value_size / sizeof(u64); Replace the above with max_depth = smap->map.value_size / stack_map_data_size(map) ? > + > + if (trace_nr > max_depth) > + trace_nr = max_depth; > + > ips = trace->ip + skip; > hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0); > id = hash & (smap->n_buckets - 1);
Good catch thanks Yonghong, sending rev2. On 29/07/2025 17:21, Yonghong Song wrote: > > > On 7/29/25 2:19 AM, Arnaud Lecomte wrote: >> Syzkaller reported a KASAN slab-out-of-bounds write in >> __bpf_get_stackid() >> when copying stack trace data. The issue occurs when the perf trace >> contains more stack entries than the stack map bucket can hold, >> leading to an out-of-bounds write in the bucket's data array. >> For build_id mode, we use sizeof(struct bpf_stack_build_id) >> to determine capacity, and for normal mode we use sizeof(u64). >> >> Reported-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b >> Tested-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com >> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> >> --- >> kernel/bpf/stackmap.c | 12 +++++++++++- >> 1 file changed, 11 insertions(+), 1 deletion(-) >> >> diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c >> index 3615c06b7dfa..0f9f6e4b6fe9 100644 >> --- a/kernel/bpf/stackmap.c >> +++ b/kernel/bpf/stackmap.c >> @@ -230,7 +230,7 @@ static long __bpf_get_stackid(struct bpf_map *map, >> struct bpf_stack_map *smap = container_of(map, struct >> bpf_stack_map, map); >> struct stack_map_bucket *bucket, *new_bucket, *old_bucket; >> u32 skip = flags & BPF_F_SKIP_FIELD_MASK; >> - u32 hash, id, trace_nr, trace_len, i; >> + u32 hash, id, trace_nr, trace_len, i, max_depth; >> bool user = flags & BPF_F_USER_STACK; >> u64 *ips; >> bool hash_matches; >> @@ -241,6 +241,16 @@ static long __bpf_get_stackid(struct bpf_map *map, >> trace_nr = trace->nr - skip; >> trace_len = trace_nr * sizeof(u64); >> + >> + /* Clamp the trace to max allowed depth */ >> + if (stack_map_use_build_id(map)) >> + max_depth = smap->map.value_size / sizeof(struct >> bpf_stack_build_id); >> + else >> + max_depth = smap->map.value_size / sizeof(u64); > > Replace the above with > max_depth = smap->map.value_size / stack_map_data_size(map) > ? > >> + >> + if (trace_nr > max_depth) >> + trace_nr = max_depth; >> + >> ips = trace->ip + skip; >> hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0); >> id = hash & (smap->n_buckets - 1); > >
© 2016 - 2025 Red Hat, Inc.