Skip to content

fix: add missing validations and prevent buffer overflow in seccomp loader #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
KenzieEdernez wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: add missing validations and prevent buffer overflow in seccomp loader #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b9878a8
Fixing and Improving Validation
KenzieEdernez Dec 14, 2025
3d9f2f5
Fixing and Improving Validation
KenzieEdernez Dec 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@


/* For using free() */
#include <stdlib.h>
#include "seccomp.h"

int main(int argc, char **argv) {
Expand All @@ -13,7 +13,11 @@ int main(int argc, char **argv) {
const char *profile_path = argv[1];
FILE *file = sc_must_read_and_validate_header_from_file(profile_path, &hdr);
sc_must_read_filter_from_file(file, hdr.len_filter, &prog_allow);
/* Close file as we are done reading */
fclose(file);


sc_apply_seccomp_filter(&prog_allow);
/* Clear filter memory */
free(prog_allow.filter);
}
32 changes: 30 additions & 2 deletions seccomp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,16 +41,45 @@ FILE* sc_must_read_and_validate_header_from_file(const char *profile_path, struc
if (num_read < sizeof(struct sc_seccomp_file_header)) {
die("short read on seccomp header: %zu", num_read);
}

/* Validation: Magic Bytes */
if (hdr->header[0] != SC_HEADER_MAGIC_0 || hdr->header[1] != SC_HEADER_MAGIC_1) {
die("invalid seccomp file header magic");
}

/* Validation: Version */
if (hdr->version != SC_VERSION) {
die("unsupported seccomp file version: %d", hdr->version);
}

/* Validation: Filter Length (Size Limit) */
if (hdr->len_filter > MAX_BPF_SIZE) {
die("seccomp filter too large: %u (max %d)", hdr->len_filter, MAX_BPF_SIZE);
}

/* Validation: Filter Length (Alignment) */
if (hdr->len_filter % sizeof(struct sock_filter) != 0) {
die("invalid seccomp filter length: %u (must be multiple of %zu)",
hdr->len_filter, sizeof(struct sock_filter));
}

return file;
}

void sc_must_read_filter_from_file(FILE *file, uint32_t len_bytes, struct sock_fprog *prog)
{
/* Double check length before allocation */
if (len_bytes > MAX_BPF_SIZE) {
die("filter length %u exceeds max %d", len_bytes, MAX_BPF_SIZE);
}

prog->len = len_bytes / sizeof(struct sock_filter);
prog->filter = (struct sock_filter *)malloc(MAX_BPF_SIZE);

prog->filter = (struct sock_filter *)malloc(len_bytes);
if (prog->filter == NULL) {
die("cannot allocate %u bytes of memory for seccomp filter ", len_bytes);
}

size_t num_read = fread(prog->filter, 1, len_bytes, file);
if (ferror(file)) {
die("cannot read filter");
Expand All @@ -71,4 +100,3 @@ void sc_apply_seccomp_filter(struct sock_fprog *prog) {
die("cannot apply seccomp profile");
}
}

5 changes: 5 additions & 0 deletions seccomp.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@

#include <linux/filter.h>

/* Validations Constants */
#define SC_HEADER_MAGIC_0 'S'
#define SC_HEADER_MAGIC_1 'C'
#define SC_VERSION 1

struct sc_seccomp_file_header {
char header[2];
uint8_t version;
Expand Down