On Sun Jun 14, 2026 at 2:26 AM PDT, HyeongJun An wrote: > The static linker sanity-checks relocation sections before appending them, > but for executable target sections it only verifies that r_offset is > BPF-instruction aligned. It does not verify that the offset is inside the > relocated section. > > A malformed object can therefore pass an out-of-range offset through > linker_sanity_check_elf_relos(). When the relocation is against an > STT_SECTION symbol, linker_append_elf_relos() uses the unchecked offset to > find the instruction to adjust: > > insn = dst_linked_sec->raw_data + dst_rel->r_offset; > > and then reads insn->code and updates insn->imm. > > This is reproducible with bpftool's static linker by crafting a BPF object > with a 16-byte executable section and a relocation in its .rel section > whose r_offset is 0x1000:
libbpf trusts ELF. There are many way to crash libbpf and libelf, for that matter, with corrupted ELF. Please don't send such hardening patches. pw-bot: cr
