1. Patchew
  2. linux
  3. View series

[PATCH bpf-next] bpftool: Check map name length when map create

Rong Tao posted 1 patch 10 months, 1 week ago
There is a newer version of this series
tools/bpf/bpftool/map.c | 6 ++++++
1 file changed, 6 insertions(+)
[PATCH bpf-next] bpftool: Check map name length when map create
Posted by Rong Tao 10 months, 1 week ago 
From: Rong Tao <rongtao@cestc.cn>

The size of struct bpf_map::name is BPF_OBJ_NAME_LEN (16).

bpf(2) {
  map_create() {
    bpf_obj_name_cpy(map->name, attr->map_name, sizeof(attr->map_name));
  }
}

When specifying a map name using bpftool map create name, no error is
reported if the name length is greater than 15.

    $ sudo bpftool map create /sys/fs/bpf/12345678901234567890 \
        type array key 4 value 4 entries 5 name 12345678901234567890

Users will think that 12345678901234567890 is legal, but this name cannot
be used to index a map.

    $ sudo bpftool map show name 12345678901234567890
    Error: can't parse name

    $ sudo bpftool map show
    ...
    1249: array  name 123456789012345  flags 0x0
    	key 4B  value 4B  max_entries 5  memlock 304B

    $ sudo bpftool map show name 123456789012345
    1249: array  name 123456789012345  flags 0x0
    	key 4B  value 4B  max_entries 5  memlock 304B

The map name provided in the command line is truncated, but no error is
reported. This submission checks the length of the map name.

Signed-off-by: Rong Tao <rongtao@cestc.cn>
---
 tools/bpf/bpftool/map.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c
index ed4a9bd82931..fa00f7865065 100644
--- a/tools/bpf/bpftool/map.c
+++ b/tools/bpf/bpftool/map.c
@@ -1330,6 +1330,12 @@ static int do_create(int argc, char **argv)
 		goto exit;
 	}
 
+	if (strlen(map_name) > BPF_OBJ_NAME_LEN - 1) {
+		p_err("The map name is too long, should be less than %d\n",
+		      BPF_OBJ_NAME_LEN - 1);
+		goto exit;
+	}
+
 	set_max_rlimit();
 
 	fd = bpf_map_create(map_type, map_name, key_size, value_size, max_entries, &attr);
-- 
2.48.1
Re: [PATCH bpf-next] bpftool: Check map name length when map create
Posted by Quentin Monnet 10 months, 1 week ago 
2025-02-11 16:45 UTC+0800 ~ Rong Tao <rtoax@foxmail.com>
> From: Rong Tao <rongtao@cestc.cn>
> 
> The size of struct bpf_map::name is BPF_OBJ_NAME_LEN (16).
> 
> bpf(2) {
>   map_create() {
>     bpf_obj_name_cpy(map->name, attr->map_name, sizeof(attr->map_name));
>   }
> }
> 
> When specifying a map name using bpftool map create name, no error is
> reported if the name length is greater than 15.
> 
>     $ sudo bpftool map create /sys/fs/bpf/12345678901234567890 \
>         type array key 4 value 4 entries 5 name 12345678901234567890
> 
> Users will think that 12345678901234567890 is legal, but this name cannot
> be used to index a map.
> 
>     $ sudo bpftool map show name 12345678901234567890
>     Error: can't parse name
> 
>     $ sudo bpftool map show
>     ...
>     1249: array  name 123456789012345  flags 0x0
>     	key 4B  value 4B  max_entries 5  memlock 304B
> 
>     $ sudo bpftool map show name 123456789012345
>     1249: array  name 123456789012345  flags 0x0
>     	key 4B  value 4B  max_entries 5  memlock 304B
> 
> The map name provided in the command line is truncated, but no error is
> reported. This submission checks the length of the map name.
> 
> Signed-off-by: Rong Tao <rongtao@cestc.cn>
> ---
>  tools/bpf/bpftool/map.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c
> index ed4a9bd82931..fa00f7865065 100644
> --- a/tools/bpf/bpftool/map.c
> +++ b/tools/bpf/bpftool/map.c
> @@ -1330,6 +1330,12 @@ static int do_create(int argc, char **argv)
>  		goto exit;
>  	}
>  
> +	if (strlen(map_name) > BPF_OBJ_NAME_LEN - 1) {
> +		p_err("The map name is too long, should be less than %d\n",


Nit: I'd drop "The" (and the capital letter) for consistency with other
messages in bpftool; and I'd replace "less than ..." with "no longer
than %d characters\n" to make it explicit and avoid confusion between
"strictly less" and "less or equal".


> +		      BPF_OBJ_NAME_LEN - 1);
> +		goto exit;
> +	}
> +
>  	set_max_rlimit();
>  
>  	fd = bpf_map_create(map_type, map_name, key_size, value_size, max_entries, &attr);


There's no need to defer the check until after we've parsed all
arguments. Can you move it to the location where we retrieve the name,
please?:

		[...]
		} else if (is_prefix(*argv, "name")) {
			NEXT_ARG();
			map_name = GET_ARG();
		} else ...

pw-bot: cr

Apart from these, it's a good idea to fix it, thank you!
Quentin
Re: [PATCH bpf-next] bpftool: Check map name length when map create
Posted by Rong Tao 10 months, 1 week ago 
On 2/11/25 18:20, Quentin Monnet wrote:
> 2025-02-11 16:45 UTC+0800 ~ Rong Tao <rtoax@foxmail.com>
>> From: Rong Tao <rongtao@cestc.cn>
>>
>> The size of struct bpf_map::name is BPF_OBJ_NAME_LEN (16).
>>
>> bpf(2) {
>>    map_create() {
>>      bpf_obj_name_cpy(map->name, attr->map_name, sizeof(attr->map_name));
>>    }
>> }
>>
>> When specifying a map name using bpftool map create name, no error is
>> reported if the name length is greater than 15.
>>
>>      $ sudo bpftool map create /sys/fs/bpf/12345678901234567890 \
>>          type array key 4 value 4 entries 5 name 12345678901234567890
>>
>> Users will think that 12345678901234567890 is legal, but this name cannot
>> be used to index a map.
>>
>>      $ sudo bpftool map show name 12345678901234567890
>>      Error: can't parse name
>>
>>      $ sudo bpftool map show
>>      ...
>>      1249: array  name 123456789012345  flags 0x0
>>      	key 4B  value 4B  max_entries 5  memlock 304B
>>
>>      $ sudo bpftool map show name 123456789012345
>>      1249: array  name 123456789012345  flags 0x0
>>      	key 4B  value 4B  max_entries 5  memlock 304B
>>
>> The map name provided in the command line is truncated, but no error is
>> reported. This submission checks the length of the map name.
>>
>> Signed-off-by: Rong Tao <rongtao@cestc.cn>
>> ---
>>   tools/bpf/bpftool/map.c | 6 ++++++
>>   1 file changed, 6 insertions(+)
>>
>> diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c
>> index ed4a9bd82931..fa00f7865065 100644
>> --- a/tools/bpf/bpftool/map.c
>> +++ b/tools/bpf/bpftool/map.c
>> @@ -1330,6 +1330,12 @@ static int do_create(int argc, char **argv)
>>   		goto exit;
>>   	}
>>   
>> +	if (strlen(map_name) > BPF_OBJ_NAME_LEN - 1) {
>> +		p_err("The map name is too long, should be less than %d\n",
>
> Nit: I'd drop "The" (and the capital letter) for consistency with other
> messages in bpftool; and I'd replace "less than ..." with "no longer
> than %d characters\n" to make it explicit and avoid confusion between
> "strictly less" and "less or equal".

Thanks, i'll submit another patch.

Rong Tao.

>
>> +		      BPF_OBJ_NAME_LEN - 1);
>> +		goto exit;
>> +	}
>> +
>>   	set_max_rlimit();
>>   
>>   	fd = bpf_map_create(map_type, map_name, key_size, value_size, max_entries, &attr);
>
> There's no need to defer the check until after we've parsed all
> arguments. Can you move it to the location where we retrieve the name,
> please?:
>
> 		[...]
> 		} else if (is_prefix(*argv, "name")) {
> 			NEXT_ARG();
> 			map_name = GET_ARG();
> 		} else ...
>
> pw-bot: cr
>
> Apart from these, it's a good idea to fix it, thank you!
> Quentin

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.