bpf: Limit bpf program signature size

Practical BPF signatures are significantly smaller than
KMALLOC_MAX_CACHE_SIZE

Allowing larger sizes opens the door for abuse by passing excessive
size values and forcing the kernel into expensive allocation paths (via
kmalloc_large or vmalloc).

Fixes: 349271568303 ("bpf: Implement signature verification for BPF programs")
Reported-by: Chris Mason <clm@meta.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260205063807.690823-1-kpsingh@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5f59dd47a5b1c3b80652dabd64ad7853ac1db083..93bc0f4c65c57be6f045aa5b12f283cb3d6068ad 100644 (file)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2813,6 +2813,13 @@ static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr
        void *sig;
        int err = 0;
 
+       /*
+        * Don't attempt to use kmalloc_large or vmalloc for signatures.
+        * Practical signature for BPF program should be below this limit.
+        */
+       if (attr->signature_size > KMALLOC_MAX_CACHE_SIZE)
+               return -EINVAL;
+
        if (system_keyring_id_check(attr->keyring_id) == 0)
                key = bpf_lookup_system_key(attr->keyring_id);
        else