From: sashiko-bot@kernel.org
To: "Alan Maguire" <alan.maguire@oracle.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v3 bpf-next 2/6] libbpf: Adjust btf_vlen() to return a __u32
Date: Fri, 17 Apr 2026 17:07:11 +0000 [thread overview]
Message-ID: <20260417170712.74E77C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260417143023.1551481-3-alan.maguire@oracle.com>
Sashiko AI review found 1 potential issue(s):
- [High] On 32-bit systems, `btf_parse_type_sec()` is vulnerable to pointer arithmetic wrap-around due to missing strict bounds checking, allowing an attacker-crafted BTF layout to bypass safety checks and cause out-of-bounds memory access.
--
commit 0d6d9306686384cb94334ae8845f954db44a9f74
Author: Alan Maguire <alan.maguire@oracle.com>
libbpf: Adjust btf_vlen() to return a __u32
Now that vlen is 24 bits, btf_vlen() must return a __u32.
Adjust use cases in libbpf accordingly. Also add error
handling to avoid vlen overflow in btf_type_inc_vlen().
> diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
> index ceb57b46a8782..267904939098c 100644
> --- a/tools/lib/bpf/btf.c
> +++ b/tools/lib/bpf/btf.c
> @@ -421,7 +421,7 @@ static int btf_type_size_unknown(const struct btf *btf, const struct btf_type *t
> {
> __u32 l_cnt = btf->hdr.layout_len / sizeof(struct btf_layout);
> struct btf_layout *l = btf->layout;
> - __u16 vlen = btf_vlen(t);
> + __u32 vlen = btf_vlen(t);
> __u32 kind = btf_kind(t);
Can this lead to a pointer arithmetic wrap-around regression on 32-bit
systems?
The size is calculated later in this function using unsigned 32-bit
arithmetic and returned as a signed int:
return sizeof(struct btf_type) + l[kind].info_sz + vlen * l[kind].elem_sz;
An attacker could provide a custom layout with an artificially large elem_sz
(e.g., 2,000,000,000). For a type with vlen = 1, the calculated size fits
within a positive signed 32-bit int and is returned as a valid positive
type_size.
When btf_parse_type_sec() checks if next_type + type_size > end_type, it
evaluates this using 32-bit pointer arithmetic. If next_type is located high
in the address space, adding 2,000,000,000 wraps around the 32-bit boundary
to a numerically smaller low address, incorrectly passing the bounds check.
This causes next_type to advance to the wrapped address, allowing subsequent
loop iterations to read arbitrary memory and potentially cause out-of-bounds
accesses or crashes.
While this parser logic issue predates this patch, should we address it here
by safely checking the offset instead? For example:
if ((size_t)type_size > (size_t)((char *)end_type - (char *)next_type))
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260417143023.1551481-1-alan.maguire@oracle.com?part=2
next prev parent reply other threads:[~2026-04-17 17:07 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 14:30 [PATCH v3 bpf-next 0/6] bpf: Extend BTF UAPI vlen, kinds to use unused bits Alan Maguire
2026-04-17 14:30 ` [PATCH v3 bpf-next 1/6] " Alan Maguire
2026-04-17 18:11 ` Mykyta Yatsenko
2026-04-17 14:30 ` [PATCH v3 bpf-next 2/6] libbpf: Adjust btf_vlen() to return a __u32 Alan Maguire
2026-04-17 17:07 ` sashiko-bot [this message]
2026-04-20 8:02 ` Alan Maguire
2026-04-20 15:39 ` Alexei Starovoitov
2026-04-20 16:07 ` Alan Maguire
2026-04-17 18:26 ` Mykyta Yatsenko
2026-04-17 14:30 ` [PATCH v3 bpf-next 3/6] bpftool: Support 24-bit vlen Alan Maguire
2026-04-17 18:36 ` Mykyta Yatsenko
2026-04-17 14:30 ` [PATCH v3 bpf-next 4/6] selftests/bpf: Fix up btf/invalid test for extended kind Alan Maguire
2026-04-17 19:07 ` Mykyta Yatsenko
2026-04-17 14:30 ` [PATCH v3 bpf-next 5/6] selftests/bpf: Fix up __u16 vlen assumptions Alan Maguire
2026-04-17 19:06 ` Mykyta Yatsenko
2026-04-17 14:30 ` [PATCH v3 bpf-next 6/6] Documentation/bpf: Update btf doc with updated vlen, kind sizes Alan Maguire
2026-04-17 15:39 ` bot+bpf-ci
2026-04-20 8:09 ` Alan Maguire
2026-04-20 11:48 ` Mykyta Yatsenko
2026-04-20 18:30 ` [PATCH v3 bpf-next 0/6] bpf: Extend BTF UAPI vlen, kinds to use unused bits David Faust
2026-04-20 19:24 ` Alan Maguire
2026-04-21 1:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260417170712.74E77C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alan.maguire@oracle.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.