Re: [syzbot] [bpf?] KASAN: slab-out-of-bounds Read in strnchr

Next message: syzbot: "Forwarded: Re: [syzbot] [f2fs?] KASAN: use-after-free Read in f2fs_write_end_io (2)"
Previous message: Yang Li via B4 Relay: "[PATCH] Bluetooth: mgmt: report extended advertising SID to userspace"
In reply to: syzbot: "Forwarded: [PATCH] bpf: Reject BPF_MAP_TYPE_INSN_ARRAY in check_reg_const_str()"
Next in thread: syzbot: "Re: [syzbot] [bpf?] KASAN: slab-out-of-bounds Read in strnchr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edward Adam Davis

Date: Wed Jan 07 2026 - 03:49:08 EST

#syz test

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index db72b96f9c8c..88da2d0e634c 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -827,7 +827,7 @@ int bpf_bprintf_prepare(const char *fmt, u32 fmt_size, const u64 *raw_args,
char fmt_ptype, cur_ip[16], ip_spec[] = "%pXX";

fmt_end = strnchr(fmt, fmt_size, 0);
- if (!fmt_end)
+ if (!fmt_end || fmt_end == fmt)
return -EINVAL;
fmt_size = fmt_end - fmt;