From: sashiko-bot@kernel.org
To: "Himanshu Anand" <anand.himanshu17@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf v2] bpf: Add nelems overflow check in btf_find_field_one()
Date: Sat, 23 May 2026 08:20:35 +0000 [thread overview]
Message-ID: <20260523082035.D2F931F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260523074736.222994-1-anand.himanshu17@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] The patch leaves a critical 32-bit integer overflow in `btf_repeat_fields()` unprotected, leading to a stack buffer overflow.
--
commit d1acecf46d6faa37ff66d19a08184489e682b397
Author: Himanshu Anand <anand.himanshu17@gmail.com>
bpf: Add nelems overflow check in btf_find_field_one()
This commit adds an overflow check when multiplying nested array element
counts in btf_find_field_one(). This aims to make the logic consistent with
__btf_resolve_size() and guards against future validation ordering changes.
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index a62d785812076..b767a9fcf095d 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -3765,7 +3765,8 @@ static int btf_find_field_one(const struct btf *btf,
> */
> for (i = 0; i < MAX_RESOLVE_DEPTH && btf_type_is_array(var_type); i++) {
> array = btf_array(var_type);
> - nelems *= array->nelems;
> + if (check_mul_overflow(nelems, array->nelems, &nelems))
> + return -E2BIG;
> var_type = btf_type_by_id(btf, array->type);
> }
> if (i == MAX_RESOLVE_DEPTH)
[Severity: Critical]
This isn't a bug introduced by this patch, but does the bounds check in
btf_repeat_fields() further down in this function still have a 32-bit
integer overflow?
The commit message mentions that btf_array_resolve() prevents the total
array size from overflowing u32, meaning sz * nelems <= U32_MAX. However,
could a crafted BTF union with 11 struct members (field_cnt = 11) and an
element size of 8 bypass the validation if nelems is 390451573?
The array size check would pass since 390451573 * 8 = 3123612584 <= U32_MAX.
When btf_repeat_fields() is called at the end of this function:
if (nelems > 1) {
ret = btf_repeat_fields(info, info_cnt, 1, nelems - 1, sz);
...
}
Is the multiplication field_cnt * (repeat_cnt + 1) inside
btf_repeat_fields() evaluated as a 32-bit operation? If so,
11 * 390451573 = 4294967303, which wraps around to 7.
Since 7 <= 11, wouldn't this bypass the bounds check and lead to an
out-of-bounds memcpy on the stack-allocated info_arr[BTF_FIELDS_MAX],
potentially overwriting kernel stack memory?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260523074736.222994-1-anand.himanshu17@gmail.com?part=1
next prev parent reply other threads:[~2026-05-23 8:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-23 7:47 [PATCH bpf v2] bpf: Add nelems overflow check in btf_find_field_one() Himanshu Anand
2026-05-23 8:20 ` sashiko-bot [this message]
2026-05-23 8:30 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260523082035.D2F931F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=anand.himanshu17@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.