Re: [PATCH] bpf: Format string can't be empty

From: Edward Adam Davis
Date: Wed Jan 07 2026 - 22:55:42 EST

Next message: Qing Wang: "Re: [PATCH] fork/pid: Fix use-after-free in __task_pid_nr_ns"
Previous message: bot+bpf-ci: "Re: [PATCH bpf-next v11 04/11] libbpf: Optimize type lookup with binary search for sorted BTF"
In reply to: Alexei Starovoitov: "Re: [PATCH] bpf: Format string can't be empty"
Next in thread: syzbot: "Re: [syzbot] [bpf?] KASAN: slab-out-of-bounds Read in strnchr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 7 Jan 2026 19:02:37 -0800, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote:
> > diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> > index db72b96f9c8c..88da2d0e634c 100644
> > --- a/kernel/bpf/helpers.c
> > +++ b/kernel/bpf/helpers.c
> > @@ -827,7 +827,7 @@ int bpf_bprintf_prepare(const char *fmt, u32 fmt_size, const u64 *raw_args,
> > char fmt_ptype, cur_ip[16], ip_spec[] = "%pXX";
> >
> > fmt_end = strnchr(fmt, fmt_size, 0);
> > - if (!fmt_end)
> > + if (!fmt_end || fmt_end == fmt)
> > return -EINVAL;
>
> I don't think you root caused it correctly.
> The better fix and analysis:
I am keeping my analysis and patch.
The root cause of the problem is that the format string does not contain
a null terminator ('\0').
Filtering out map type 0x22 to solve the problem is too hasty, as it
would prevent all instructions from calling functions with constant
string arguments.

Next message: Qing Wang: "Re: [PATCH] fork/pid: Fix use-after-free in __task_pid_nr_ns"
Previous message: bot+bpf-ci: "Re: [PATCH bpf-next v11 04/11] libbpf: Optimize type lookup with binary search for sorted BTF"
In reply to: Alexei Starovoitov: "Re: [PATCH] bpf: Format string can't be empty"
Next in thread: syzbot: "Re: [syzbot] [bpf?] KASAN: slab-out-of-bounds Read in strnchr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]