Re: [PATCH bpf] bpf: Validate BTF repeated field counts before expansion

Next message: Gary Guo: "[PATCH v3 06/19] rust: io: rename `Mmio` to `MmioOwned`"
Previous message: Gary Guo: "[PATCH v3 10/19] rust: io: remove `MmioOwned`"
Next in thread: Kumar Kartikeya Dwivedi: "Re: [PATCH bpf] bpf: Validate BTF repeated field counts before expansion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eduard Zingerman

Date: Mon Jun 08 2026 - 16:05:43 EST

On Fri, 2026-06-05 at 23:43 +0000, Paul Moses wrote:
> btf_parse_struct_metas() walks user-supplied BTF during BPF_BTF_LOAD,
> and btf_repeat_fields() expands repeatable fields from array elements
> into the fixed BTF_FIELDS_MAX scratch array used by btf_parse_fields().
>
> The remaining-capacity check performs the expanded field count calculation
> in u32. A malformed BTF can wrap that calculation, causing the check to
> pass even when the expanded field count exceeds the scratch array
> capacity. The following memcpy() can then write past the end of the
> array.
>
> Use checked addition and multiplication before copying repeated fields
> and reject impossible counts.
>
> Fixes: 797d73ee232d ("bpf: Check the remaining info_cnt before repeating btf fields")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Paul Moses <p@xxxxxxx>
> ---

Regardless of the sibling email I sent, I think that this is a good
defensive practice to use check_{add,mul}_overflow() here.
Having said that, it would be nice to have a selftest in the patch-set.

Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>

[...]