libbpf: Guard add_data() against size overflow

add_data() computes size8 = roundup(size, 8) and then hands size8 to realloc_data_buf() before doing memcpy(gen->data_cur, data, size) with the original size. A wrapped size8 passes through the realloc_data_buf() INT32_MAX check. Harden this against overflow, though not realistic to happen in practice. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20260602133052.423725-3-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org>
author: Daniel Borkmann <daniel@iogearbox.net> 2026-06-02 16:30:50 +0300
committer: Alexei Starovoitov <ast@kernel.org> 2026-06-02 19:46:52 +0300
commit: 7fef1796ec4d8c4cce70c374efafdbbc8d6d6cbc (patch)
tree: 11c73a59914a000771826ee6fa54528263a5a089
parent: 3c56ee343f9412d81918635c3e25e22a5dd6d87e (diff)
download: linux-7fef1796ec4d8c4cce70c374efafdbbc8d6d6cbc.tar.xz
1 files changed, 7 insertions, 1 deletions
diff --git a/tools/lib/bpf/gen_loader.c b/tools/lib/bpf/gen_loader.c
index 66e13566bc31..d79695f01c87 100644
--- a/tools/lib/bpf/gen_loader.c
+++ b/tools/lib/bpf/gen_loader.c
@@ -160,10 +160,16 @@ void bpf_gen__init(struct bpf_gen *gen, int log_level, int nr_progs, int nr_maps
 
 static int add_data(struct bpf_gen *gen, const void *data, __u32 size)
 {
-	__u32 size8 = roundup(size, 8);
 	__u64 zero = 0;
+	__u32 size8;
 	void *prev;
 
+	if (size > INT32_MAX) {
+		gen->error = -ERANGE;
+		return 0;
+	}
+	size8 = roundup(size, 8);
+
 	if (realloc_data_buf(gen, size8))
 		return 0;
 	prev = gen->data_cur;
author	Daniel Borkmann <daniel@iogearbox.net>	2026-06-02 16:30:50 +0300
committer	Alexei Starovoitov <ast@kernel.org>	2026-06-02 19:46:52 +0300
commit	7fef1796ec4d8c4cce70c374efafdbbc8d6d6cbc (patch)
tree	11c73a59914a000771826ee6fa54528263a5a089
parent	3c56ee343f9412d81918635c3e25e22a5dd6d87e (diff)
download	linux-7fef1796ec4d8c4cce70c374efafdbbc8d6d6cbc.tar.xz