Re: [PATCH bpf] selftests/bpf: Add BTF repeated field count overflow test

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Critical] The patch adds a selftest that intentionally triggers a 32-bit integer multiplication overflow in `btf_repeat_fields()`, but fails to include the corresponding kernel fix. Running this test will cause a massive kernel stack buffer overflow and crash the system.
--

commit c85a43a465188ee0a856395b17e0e43e08bfa15b
Author: Paul Moses <p@1g4.org>

selftests/bpf: Add BTF repeated field count overflow test

Add a raw BTF test that exercises repeated special-field expansion with a
large array count to trigger an overflow in btf_repeat_fields.

> diff --git a/tools/testing/selftests/bpf/prog_tests/btf.c b/tools/testing/selftests/bpf/prog_tests/btf.c
> --- a/tools/testing/selftests/bpf/prog_tests/btf.c
> +++ b/tools/testing/selftests/bpf/prog_tests/btf.c

[ ... ]

> @@ -4258,6 +4258,43 @@ static struct btf_raw_test raw_tests[] = {
>  	.max_entries = 1,
>  },
>  
> +{
> +	.descr = "struct test repeated fields count overflow",
> +	.raw_types = {
> +		BTF_TYPE_INT_ENC(NAME_TBD, BTF_INT_SIGNED, 0, 32, 4),	/* [1] */
> +		BTF_STRUCT_ENC(NAME_TBD, 0, 0),				/* [2] */

[ ... ]

> +		BTF_MEMBER_ENC(NAME_TBD, 5, 0),
> +		BTF_MEMBER_ENC(NAME_TBD, 5, 0),
> +		BTF_TYPE_ARRAY_ENC(6, 1, 0x1999999aU),			/* [7] */

[Severity: Critical]
This isn't a bug introduced by this patch, but does adding this test without
its corresponding kernel fix deterministically crash systems running selftests?

This test intentionally triggers a 32-bit integer multiplication overflow in
kernel/bpf/btf.c:btf_repeat_fields(). The bounds check performs 32-bit
unsigned arithmetic:

kernel/bpf/btf.c:btf_repeat_fields() {
    ...
    if (field_cnt * (repeat_cnt + 1) > info_cnt)
        return -E2BIG;
    ...
}

The test crafts a BTF array of size 0x1999999a containing an internal struct
with 10 special fields. When evaluated, 10 * 0x1999999a equals 4294967300,
which wraps around to 4 in 32-bit math.

Since 4 is less than BTF_FIELDS_MAX (11), the bounds check incorrectly passes.
The loop then writes massively past the end of the stack-allocated info_arr
buffer:

kernel/bpf/btf.c:btf_repeat_fields() {
    ...
    for (i = 0; i < repeat_cnt; i++) {
        memcpy(&info[cur], &info[0], field_cnt * sizeof(info[0]));
    ...
}

Should the fix in btf_repeat_fields() be included alongside or before this
test is merged to prevent kernel panics during selftests?

> +		BTF_STRUCT_ENC(NAME_TBD, 2, 8 + 8 * 0x1999999aU),	/* [8] */
> +		BTF_MEMBER_ENC(NAME_TBD, 4, 0),
> +		BTF_MEMBER_ENC(NAME_TBD, 7, 64),
> +		BTF_END_RAW,
> +	},

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/SzebdWqm2zREZBf8Tc5Kc-JDWbh9nBztnk4PUu5kRSD1OOdr_ESVTt__2Hd3-lClr47jIjJCXfOH0RHsMpjjpEUh_R2v30nh3T1IXNT6Pbo=@1g4.org?part=1