bpf: Limit bpf program signature size · tjh.dev/kernel@ea1535e

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

bpf: Limit bpf program signature size

Practical BPF signatures are significantly smaller than
KMALLOC_MAX_CACHE_SIZE

Allowing larger sizes opens the door for abuse by passing excessive
size values and forcing the kernel into expensive allocation paths (via
kmalloc_large or vmalloc).

Fixes: 349271568303 ("bpf: Implement signature verification for BPF programs")
Reported-by: Chris Mason <clm@meta.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260205063807.690823-1-kpsingh@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

KP Singh and committed by

Alexei Starovoitov 4 months ago ea1535e2 75cd3beb

1 changed file

expand all

kernel

bpf

syscall.c

kernel/bpf/syscall.c

··· 2813 2813 void *sig; 2814 2814 int err = 0; 2815 2815 2816 + /* 2817 + * Don't attempt to use kmalloc_large or vmalloc for signatures. 2818 + * Practical signature for BPF program should be below this limit. 2819 + */ 2820 + if (attr->signature_size > KMALLOC_MAX_CACHE_SIZE) 2821 + return -EINVAL; 2822 + 2816 2823 if (system_keyring_id_check(attr->keyring_id) == 0) 2817 2824 key = bpf_lookup_system_key(attr->keyring_id); 2818 2825 else

Configure Feed

Configure Feed