bpf: Validate BTF repeated field counts before expansion - kernel/linux.git

diff options

author	Paul Moses <p@1g4.org>	2026-06-06 02:43:09 +0300
committer	Kumar Kartikeya Dwivedi <memxor@gmail.com>	2026-06-09 11:28:39 +0300
commit	b9452b594fd3aecbfd4aa0a6a1f741330a37dab7 (patch)
tree	236c6d571232b4827fa125455ba591be747f6387 /include/uapi/linux
parent	50dff00615522f3ec03449680ca23beb4cfc549c (diff)
download	linux-b9452b594fd3aecbfd4aa0a6a1f741330a37dab7.tar.xz

bpf: Validate BTF repeated field counts before expansion

btf_parse_struct_metas() walks user-supplied BTF during BPF_BTF_LOAD, and btf_repeat_fields() expands repeatable fields from array elements into the fixed BTF_FIELDS_MAX scratch array used by btf_parse_fields(). The remaining-capacity check performs the expanded field count calculation in u32. A malformed BTF can wrap that calculation, causing the check to pass even when the expanded field count exceeds the scratch array capacity. The following memcpy() can then write past the end of the array. Use checked addition and multiplication before copying repeated fields and reject impossible counts. Fixes: 797d73ee232d ("bpf: Check the remaining info_cnt before repeating btf fields") Cc: stable@vger.kernel.org Signed-off-by: Paul Moses <p@1g4.org> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/bpf/20260605234301.1109063-1-p@1g4.org Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

Diffstat (limited to 'include/uapi/linux')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: