Re: [systemd-devel] [PATCHv6 10/13] kexec_file: Integrate bpf light skeleton to load image with bpf-prog

Mon, 19 Jan 2026 10:45:47 -0800 

> diff --git a/kernel/kexec_bpf_loader.c b/kernel/kexec_bpf_loader.c
> index 5ad67672dead..9f1c5aede42e 100644
> --- a/kernel/kexec_bpf_loader.c
> +++ b/kernel/kexec_bpf_loader.c

[ ... ]

> +static void *get_symbol_from_elf(const char *elf_data, size_t elf_size,
> +             const char *symbol_name, unsigned int *symbol_size)
> +{
> +     Elf_Ehdr *ehdr = (Elf_Ehdr *)elf_data;
> +     Elf_Shdr *shdr, *dst_shdr;
> +     const Elf_Sym *sym;
> +     void *symbol_data;
> +
> +     if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0) {
> +             pr_err("Not a valid ELF file\n");
> +             return NULL;
> +     }
> +
> +     sym = elf_find_symbol(ehdr, symbol_name);
> +     if (!sym)
> +             return NULL;
> +     shdr = (struct elf_shdr *)(elf_data + ehdr->e_shoff);
> +     dst_shdr = &shdr[sym->st_shndx];
> +     symbol_data = (void *)(elf_data + dst_shdr->sh_offset + sym->st_value);
                                         
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The elf_size parameter is declared but never used in this function. The
pointer calculations at ehdr->e_shoff, shdr[sym->st_shndx], and
dst_shdr->sh_offset + sym->st_value could all access memory beyond the
ELF buffer if the ELF data is malformed. Should there be bounds checking
against elf_size to prevent out-of-bounds reads?

> +     *symbol_size = sym->st_size;
> +
> +     return symbol_data;
> +}
> +
>  /* Load a ELF */
>  static int arm_bpf_prog(char *bpf_elf, unsigned long sz)
>  {
> +     opts_data = get_symbol_from_elf(bpf_elf, sz, "opts_data", 
> &opts_data_sz);
> +     opts_insn = get_symbol_from_elf(bpf_elf, sz, "opts_insn", 
> &opts_insn_sz);
> +     if (!opts_data || !opts_insn)
> +             return -1;
> +     /*
> +      * When light skeleton generates opts_data[] and opts_insn[], it 
> appends a
> +      * NULL terminator at the end of string
> +      */
> +     opts_data_sz = opts_data_sz - 1;
> +     opts_insn_sz = opts_insn_sz - 1;
                      ^^^^^^^^^^^^^^^^^^

If sym->st_size is 0 for either opts_data or opts_insn symbols in the ELF,
then opts_data_sz or opts_insn_sz would be 0 after get_symbol_from_elf()
returns. Subtracting 1 from an unsigned int with value 0 would cause an
integer underflow to UINT_MAX. This large value would then be passed to
bpf_load_and_run() via the opts structure. Would it make sense to check
that opts_data_sz and opts_insn_sz are non-zero before the subtraction?

> +
> +     pe_parser = kexec_pe_parser_bpf__open_and_load();
> +     if (!pe_parser)
> +             return -1;
> +     kexec_pe_parser_bpf__attach(pe_parser);
> +
> +     return 0;
>  }

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21147860407

Reply via email to