Skip to content

bpf: Clamp trace length in __bpf_get_stack to fix OOB write #6330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

bpf: Clamp trace length in __bpf_get_stack to fix OOB write #6330

wants to merge 2 commits into from

Conversation

@kernel-patches-daemon-bpf-rc
Copy link

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot commented Nov 11, 2025

Pull request for series with
subject: bpf: Clamp trace length in __bpf_get_stack to fix OOB write
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 11, 2025

Upstream branch: 026bcf9
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 12, 2025

Upstream branch: 026bcf9
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 13, 2025

Upstream branch: f1d8c65
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 13, 2025

Upstream branch: 93ce3be
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 14, 2025

Upstream branch: 93ce3be
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 14, 2025

Upstream branch: c1da3df
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 14, 2025

Upstream branch: fea3f5e
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 14, 2025

Upstream branch: 63066b7
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Upstream branch: c133390
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Upstream branch: ef2c0b2
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Upstream branch: a4d31f4
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Upstream branch: 4f7bc83
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Upstream branch: 6cc73f3
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938
version: 3

@listout
bpf: Clamp trace length in __bpf_get_stack to fix OOB write
b39a762 
syzbot reported a stack-out-of-bounds write in __bpf_get_stack()
triggered via bpf_get_stack() when capturing a kernel stack trace.

After the recent refactor that introduced stack_map_calculate_max_depth(),
the code in stack_map_get_build_id_offset() (and related helpers) stopped
clamping the number of trace entries (`trace_nr`) to the number of elements
that fit into the stack map value (`num_elem`).

As a result, if the captured stack contained more frames than the map value
can hold, the subsequent memcpy() would write past the end of the buffer,
triggering a KASAN report like:

    BUG: KASAN: stack-out-of-bounds in __bpf_get_stack+0x...
    Write of size N at addr ... by task syz-executor...

Restore the missing clamp by limiting `trace_nr` to `num_elem` before
computing the copy length. This mirrors the pre-refactor logic and ensures
we never copy more bytes than the destination buffer can hold.

No functional change intended beyond reintroducing the missing bound check.

Reported-by: [email protected]
Fixes: e17d62f ("bpf: Refactor stack map trace depth calculation into helper function")
Signed-off-by: Brahmajit Das <[email protected]>
Acked-by: Yonghong Song <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1021938 expired. Closing PR.

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot deleted the series/1021938=>bpf-next branch November 17, 2025 11:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bpf-next changes-requested V3-ci-fail V3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@listout