Re: [PATCH bpf] bpf: Validate BTF repeated field counts before expansion

["Alexei Starovoitov" <alexei.starovoitov@gmail.com>]

On Sun Jun 7, 2026 at 1:59 AM PDT, Kumar Kartikeya Dwivedi wrote:
> On Sat Jun 6, 2026 at 1:43 AM CEST, Paul Moses wrote:
>> btf_parse_struct_metas() walks user-supplied BTF during BPF_BTF_LOAD,
>> and btf_repeat_fields() expands repeatable fields from array elements
>> into the fixed BTF_FIELDS_MAX scratch array used by btf_parse_fields().
>>
>> The remaining-capacity check performs the expanded field count calculation
>> in u32. A malformed BTF can wrap that calculation, causing the check to
>> pass even when the expanded field count exceeds the scratch array
>> capacity. The following memcpy() can then write past the end of the
>> array.
>>
>> Use checked addition and multiplication before copying repeated fields
>> and reject impossible counts.
>>
>> Fixes: 797d73ee232d ("bpf: Check the remaining info_cnt before repeating btf fields")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Paul Moses <p@1g4.org>
>> ---
>
> Do you have an example where this actually occurred in practice?
>
>>  kernel/bpf/btf.c | 9 ++++-----
>>  1 file changed, 4 insertions(+), 5 deletions(-)
>>
>> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
>> index a62d78581207..510aa32847da 100644
>> --- a/kernel/bpf/btf.c
>> +++ b/kernel/bpf/btf.c
>> @@ -3668,7 +3668,7 @@ static int btf_get_field_type(const struct btf *btf, const struct btf_type *var_
>>  static int btf_repeat_fields(struct btf_field_info *info, int info_cnt,
>>  			     u32 field_cnt, u32 repeat_cnt, u32 elem_size)
>>  {
>> -	u32 i, j;
>> +	u32 i, j, total_cnt, total_repeats;
>>  	u32 cur;
>>
>>  	/* Ensure not repeating fields that should not be repeated. */
>> @@ -3686,10 +3686,9 @@ static int btf_repeat_fields(struct btf_field_info *info, int info_cnt,
>>  		}
>>  	}
>>
>> -	/* The type of struct size or variable size is u32,
>> -	 * so the multiplication will not overflow.
>> -	 */
>> -	if (field_cnt * (repeat_cnt + 1) > info_cnt)
>> +	if (check_add_overflow(repeat_cnt, 1, &total_repeats) ||
>> +	    check_mul_overflow(field_cnt, total_repeats, &total_cnt) ||
>> +	    total_cnt > (u32)info_cnt)
>>  		return -E2BIG;

The callers of this function do:
        if (nelems > 1) {
                err = btf_repeat_fields(info, info_cnt, ret, nelems - 1, t->size);

so repeat_cnt cannot overflow.

'ret' (which is field_cnt) comes from btf_find_struct_field().
To overflow the struct needs to have 32k valid fields.
Is this really what is happening?

The issues is deeper. Please have a reliable reproducer first.