The libbpf static linker validates relocation type, symbol index and instruction alignment in linker_sanity_check_elf_relos(), but does not check that the relocation offset is inside the relocated section. A malformed BPF object processed by the static linker (e.g. via "bpftool gen object") can therefore carry an out-of-range r_offset that linker_append_elf_relos() then uses to index the section data, reading and writing past the buffer.
The normal object-loading path already rejects such offsets (libbpf.c, rel->r_offset >= scn_data->d_size); the static linker path is the missing sibling. Patch 1 adds the same bound. Patch 2 adds a selftest that builds a tiny object with an out-of-range relocation offset and checks that the linker now rejects it, with a valid relocation as a positive control. Reproduced with ASAN: before patch 1 the out-of-range relocation is accepted (and triggers a heap-buffer-overflow); after, it is rejected with -EINVAL. HyeongJun An (2): libbpf: Reject out-of-range linker relocation offsets selftests/bpf: Test linker rejects out-of-range relocation offset tools/lib/bpf/linker.c | 6 + .../selftests/bpf/prog_tests/libbpf_linker.c | 212 ++++++++++++++++++ 2 files changed, 218 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/libbpf_linker.c -- 2.43.0
