Re: [PATCH] libbpf: fix UAF in strset__add_str()

Next message: patchwork-bot+netdevbpf: "Re: [PATCH net-next v12 0/4] tun/tap &amp; vhost-net: apply qdisc backpressure on full ptr_ring to reduce TX drops"
Previous message: Sean Christopherson: "Re: [PATCH v1 1/1] KVM: x86: Merge pending debug causes when vectoring #DB"
In reply to: bot+bpf-ci: "Re: [PATCH] libbpf: fix UAF in strset__add_str()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Carlos Llamas

Date: Wed May 13 2026 - 21:11:06 EST

On Wed, May 13, 2026 at 11:55:53PM +0000, bot+bpf-ci@xxxxxxxxxx wrote:
> >
> > Fixes: 919d2b1dbb07 ("libbpf: Allow modification of BTF and add btf__add_str API")
> > Signed-off-by: Carlos Llamas <cmllamas@xxxxxxxxxx>
>
> The existing Fixes: tag points to commit 919d2b1dbb07, but the bug is
> actually in strset__add_str() which was introduced by commit 90d76d3ececc
> ("libbpf: Extract internal set-of-strings datastructure APIs").

Yes, the bug is currently in strset__add_str(). But it used to be in
btf__add_str() before the problematic code got migrated into a separate
file.

> While the vulnerable pattern originated in btf__add_str() from 919d2b1dbb07,
> the code being fixed resides in tools/lib/bpf/strset.c which was created by
> 90d76d3ececc when the string set functionality was extracted into a separate
> module.

Right, you are making my point here.

> Should this use:
>
> Fixes: 90d76d3ececc ("libbpf: Extract internal set-of-strings datastructure APIs")

I would think the commit tagged as "Fixes:" should be the one that
introduced the issue and not the one that better fits the file name or
function no?

Another idea would be to tag instead the commit that introduced the
specific pattern that I ran into, which would be commit 9d199965990c
("resolve_btfids: Support for KF_IMPLICIT_ARGS").

Anyway, I'm happy to use any of these. It would be nice if a human can
confirm a preference though lol.

Regards,
--
Carlos Llamas