On Tue, Mar 24, 2026 at 9:16 AM Kees Cook <[email protected]> wrote: > > Replace the deprecated[1] strncpy() with strnlen() on the source > followed by memcpy(). Normally strscpy() would be used in this case, > but skel_internal.h is shared between kernel and userspace tools, and > strscpy() is not available in the userspace build context. > > The source map_name is a NUL-terminated C string (the only caller > passes the "__loader.map" 12 character string literal). The destination > attr.map_name is char[BPF_OBJ_NAME_LEN] (16 bytes) in union bpf_attr, > ultimately passed to the bpf() syscall. > > The bpf(BPF_MAP_CREATE) syscall, through bpf_obj_name_cpy(), requires a > NUL terminator within this 16-byte array, rejecting names that use all 16 > bytes. Valid names are therefore at most 15 characters, but this wasn't > being checked via the skel_map_create() path. Add a matching check and > refuse 16+ character strings early, as they would be refused later by > bpf_obj_name_cpy(). > > The attr is pre-zeroed with memset() at the top of the function, so > the last byte of attr.map_name is always NUL, meaning the memcpy() > of just the non-NUL characters from the source will always produce a > NUL-terminated destination string. > > Link: https://github.com/KSPP/linux/issues/90 [1] > Signed-off-by: Kees Cook <[email protected]> > --- > v3: instead of truncation, refuse the long length (test appears to have been > a flake) > v2: https://lore.kernel.org/lkml/[email protected]/ > v1: https://lore.kernel.org/lkml/[email protected]/ > Cc: Alexei Starovoitov <[email protected]> > Cc: Jiri Olsa <[email protected]> > Cc: sun jian <[email protected]> > Cc: Andrii Nakryiko <[email protected]> > Cc: Eduard Zingerman <[email protected]> > Cc: Daniel Borkmann <[email protected]> > Cc: Martin KaFai Lau <[email protected]> > Cc: Song Liu <[email protected]> > Cc: Yonghong Song <[email protected]> > Cc: John Fastabend <[email protected]> > Cc: KP Singh <[email protected]> > Cc: Stanislav Fomichev <[email protected]> > Cc: Hao Luo <[email protected]> > Cc: <[email protected]> > --- > tools/lib/bpf/skel_internal.h | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/tools/lib/bpf/skel_internal.h b/tools/lib/bpf/skel_internal.h > index 6a8f5c7a02eb..2d38c387f43c 100644 > --- a/tools/lib/bpf/skel_internal.h > +++ b/tools/lib/bpf/skel_internal.h > @@ -236,6 +236,7 @@ static inline int skel_map_create(enum bpf_map_type > map_type, > { > const size_t attr_sz = offsetofend(union bpf_attr, > excl_prog_hash_size); > union bpf_attr attr; > + size_t map_name_len; > > memset(&attr, 0, attr_sz); > > @@ -243,7 +244,12 @@ static inline int skel_map_create(enum bpf_map_type > map_type, > attr.excl_prog_hash = (unsigned long) excl_prog_hash; > attr.excl_prog_hash_size = excl_prog_hash_sz; > > - strncpy(attr.map_name, map_name, sizeof(attr.map_name)); > + /* attr.map_name must be NUL-terminated, like bpf_obj_name_cpy() */ > + map_name_len = strnlen(map_name, sizeof(attr.map_name)); > + if (map_name_len == sizeof(attr.map_name)) > + return -EINVAL; > + memcpy(attr.map_name, map_name, map_name_len);
and now you keep spamming without waiting for replies. nack. pw-bot: cr
