bpf: Clamp trace length in __bpf_get_stack to fix OOB write

listout · Kernel Patches Daemon · commit d3ad3dae7729 · 2025-11-10T16:47:48.000-08:00
syzbot reported a stack-out-of-bounds write in __bpf_get_stack() triggered via bpf_get_stack() when capturing a kernel stack trace. After the recent refactor that introduced stack_map_calculate_max_depth(), the code in stack_map_get_build_id_offset() (and related helpers) stopped clamping the number of trace entries (`trace_nr`) to the number of elements that fit into the stack map value (`num_elem`). As a result, if the captured stack contained more frames than the map value can hold, the subsequent memcpy() would write past the end of the buffer, triggering a KASAN report like: BUG: KASAN: stack-out-of-bounds in __bpf_get_stack+0x... Write of size N at addr ... by task syz-executor... Restore the missing clamp by limiting `trace_nr` to `num_elem` before computing the copy length. This mirrors the pre-refactor logic and ensures we never copy more bytes than the destination buffer can hold. No functional change intended beyond reintroducing the missing bound check. Reported-by: syzbot+d1b7fa1092def3628bd7@syzkaller.appspotmail.com Fixes: e17d62f ("bpf: Refactor stack map trace depth calculation into helper function") Signed-off-by: Brahmajit Das <listout@listout.xyz>
diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
@@ -480,6 +480,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}
 
 	trace_nr = trace->nr - skip;
+	trace_nr = min_t(u32, trace_nr, max_depth - skip);
 	copy_len = trace_nr * elem_size;
 
 	ips = trace->ip + skip;

Original file line number	Diff line number	Diff line change
`@@ -480,6 +480,7 @@ static long __bpf_get_stack(struct pt_regs regs, struct task_struct task,`
`480`	`480`	`}`
`481`	`481`
`482`	`482`	`trace_nr = trace->nr - skip;`
	`483`	`+ trace_nr = min_t(u32, trace_nr, max_depth - skip);`
`483`	`484`	`copy_len = trace_nr * elem_size;`
`484`	`485`
`485`	`486`	`ips = trace->ip + skip;`