bpf: Limit bpf program signature size

Practical BPF signatures are significantly smaller than KMALLOC_MAX_CACHE_SIZE Allowing larger sizes opens the door for abuse by passing excessive size values and forcing the kernel into expensive allocation paths (via kmalloc_large or vmalloc). Fixes: 349271568303 ("bpf: Implement signature verification for BPF programs") Reported-by: Chris Mason <clm@meta.com> Signed-off-by: KP Singh <kpsingh@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260205063807.690823-1-kpsingh@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
author: KP Singh <kpsingh@kernel.org> 2026-02-05 07:38:07 +0100
committer: Alexei Starovoitov <ast@kernel.org> 2026-02-05 08:31:42 -0800
commit: ea1535e28bb3773fc0b3cbd1f3842b808016990c (patch)
tree: fa24efbf1b288571c2c85efe22564834fb8c3263
parent: 75cd3beb64d0977009e3d1a2d0c03715d3e5e156 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5f59dd47a5b1..93bc0f4c65c5 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2813,6 +2813,13 @@ static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr
 	void *sig;
 	int err = 0;
 
+	/*
+	 * Don't attempt to use kmalloc_large or vmalloc for signatures.
+	 * Practical signature for BPF program should be below this limit.
+	 */
+	if (attr->signature_size > KMALLOC_MAX_CACHE_SIZE)
+		return -EINVAL;
+
 	if (system_keyring_id_check(attr->keyring_id) == 0)
 		key = bpf_lookup_system_key(attr->keyring_id);
 	else
author	KP Singh <kpsingh@kernel.org>	2026-02-05 07:38:07 +0100
committer	Alexei Starovoitov <ast@kernel.org>	2026-02-05 08:31:42 -0800
commit	ea1535e28bb3773fc0b3cbd1f3842b808016990c (patch)
tree	fa24efbf1b288571c2c85efe22564834fb8c3263
parent	75cd3beb64d0977009e3d1a2d0c03715d3e5e156 (diff)