[PATCHv6 10/13] kexec_file: Integrate bpf light skeleton to load image with bpf-prog

bot+bpf-ci at kernel.org bot+bpf-ci at kernel.org
Mon Jan 19 10:45:36 PST 2026 

> diff --git a/kernel/kexec_bpf_loader.c b/kernel/kexec_bpf_loader.c
> index 5ad67672dead..9f1c5aede42e 100644
> --- a/kernel/kexec_bpf_loader.c
> +++ b/kernel/kexec_bpf_loader.c

[ ... ]

> +static void *get_symbol_from_elf(const char *elf_data, size_t elf_size,
> +		const char *symbol_name, unsigned int *symbol_size)
> +{
> +	Elf_Ehdr *ehdr = (Elf_Ehdr *)elf_data;
> +	Elf_Shdr *shdr, *dst_shdr;
> +	const Elf_Sym *sym;
> +	void *symbol_data;
> +
> +	if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0) {
> +		pr_err("Not a valid ELF file\n");
> +		return NULL;
> +	}
> +
> +	sym = elf_find_symbol(ehdr, symbol_name);
> +	if (!sym)
> +		return NULL;
> +	shdr = (struct elf_shdr *)(elf_data + ehdr->e_shoff);
> +	dst_shdr = &shdr[sym->st_shndx];
> +	symbol_data = (void *)(elf_data + dst_shdr->sh_offset + sym->st_value);
                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The elf_size parameter is declared but never used in this function. The
pointer calculations at ehdr->e_shoff, shdr[sym->st_shndx], and
dst_shdr->sh_offset + sym->st_value could all access memory beyond the
ELF buffer if the ELF data is malformed. Should there be bounds checking
against elf_size to prevent out-of-bounds reads?

> +	*symbol_size = sym->st_size;
> +
> +	return symbol_data;
> +}
> +
>  /* Load a ELF */
>  static int arm_bpf_prog(char *bpf_elf, unsigned long sz)
>  {
> +	opts_data = get_symbol_from_elf(bpf_elf, sz, "opts_data", &opts_data_sz);
> +	opts_insn = get_symbol_from_elf(bpf_elf, sz, "opts_insn", &opts_insn_sz);
> +	if (!opts_data || !opts_insn)
> +		return -1;
> +	/*
> +	 * When light skeleton generates opts_data[] and opts_insn[], it appends a
> +	 * NULL terminator at the end of string
> +	 */
> +	opts_data_sz = opts_data_sz - 1;
> +	opts_insn_sz = opts_insn_sz - 1;
                      ^^^^^^^^^^^^^^^^^^

If sym->st_size is 0 for either opts_data or opts_insn symbols in the ELF,
then opts_data_sz or opts_insn_sz would be 0 after get_symbol_from_elf()
returns. Subtracting 1 from an unsigned int with value 0 would cause an
integer underflow to UINT_MAX. This large value would then be passed to
bpf_load_and_run() via the opts structure. Would it make sense to check
that opts_data_sz and opts_insn_sz are non-zero before the subtraction?

> +
> +	pe_parser = kexec_pe_parser_bpf__open_and_load();
> +	if (!pe_parser)
> +		return -1;
> +	kexec_pe_parser_bpf__attach(pe_parser);
> +
> +	return 0;
>  }

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21147860407

More information about the kexec mailing list