libbpf: Skip max_entries override on signed loaders

bpf_gen__map_create() lets the host-supplied loader ctx override a
map's max_entries at runtime (map_desc[idx].max_entries, when non-zero).
This is how the light skeleton sizes maps to the target machine, but
it happens after emit_signature_match() and is covered by neither the
signed loader instructions nor the hashed blob.

For a signed loader this means an untrusted host can re-dimension the
program's maps, outside what the signature attests to. Gate the override
on gen_hash so signed loaders use the signer-provided max_entries baked
into the blob.

Fixes: ea923080c145 ("libbpf: Embed and verify the metadata hash in the loader")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260601150248.394863-6-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/tools/lib/bpf/gen_loader.c b/tools/lib/bpf/gen_loader.c
index a5d9c7a5261b07cb22e15ef89a163f43587cef75..66e13566bc31e52bd157a3765b94a5f634ea44dd 100644 (file)
--- a/tools/lib/bpf/gen_loader.c
+++ b/tools/lib/bpf/gen_loader.c
@@ -546,13 +546,22 @@ void bpf_gen__map_create(struct bpf_gen *gen,
        default:
                break;
        }
-       /* conditionally update max_entries */
-       if (map_idx >= 0)
+
+       /*
+        * Conditionally update max_entries from the host-supplied loader
+        * ctx. This sizes the map at runtime, but for a signed loader
+        * (gen_hash) it would let an untrusted host re-dimension the
+        * program's maps after emit_signature_match(), outside what the
+        * signature attests to. Keep the signer-provided max_entries
+        * baked into the blob in that case.
+        */
+       if (map_idx >= 0 && !OPTS_GET(gen->opts, gen_hash, false))
                move_ctx2blob(gen, attr_field(map_create_attr, max_entries), 4,
                              sizeof(struct bpf_loader_ctx) +
                              sizeof(struct bpf_map_desc) * map_idx +
                              offsetof(struct bpf_map_desc, max_entries),
                              true /* check that max_entries != 0 */);
+
        /* emit MAP_CREATE command */
        emit_sys_bpf(gen, BPF_MAP_CREATE, map_create_attr, attr_size);
        debug_ret(gen, "map_create %s idx %d type %d value_size %d value_btf_id %d",