From: Paul Chaignon <paul.chaignon@gmail.com>
To: Ibrahim Zein <zeroxjacks@gmail.com>
Cc: ast@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
andrii@kernel.org, bpf@vger.kernel.org, jolsa@kernel.org,
kpsingh@kernel.org, linux-kselftest@vger.kernel.org,
haoluo@google.com, revest@chromium.org, john.fastabend@gmail.com,
shuah@kernel.org, sdf@fomichev.me, yonghong.song@linux.dev,
song@kernel.org, eddyz87@gmail.com
Subject: Re: [PATCH bpf-next v3] bpf: fix out-of-bounds write in bpf_bprintf_prepare with %pI4/%pI6
Date: Thu, 19 Mar 2026 15:47:58 +0100 [thread overview]
Message-ID: <abwMniHt2AZcPBas@mail.gmail.com> (raw)
In-Reply-To: <20260319124901.9207-1-zeroxjacks@gmail.com>
On Thu, Mar 19, 2026 at 12:49:00PM +0000, Ibrahim Zein wrote:
> In bpf_bprintf_prepare(), the bounds check for %pI4 and %pI6 format
> specifiers uses sizeof_cur_ip (4 for IPv4, 16 for IPv6), which is the
> raw byte count of the IP address. However, snprintf() returns the
> length of the formatted string, not the raw bytes. For IPv4 this can
> be up to 15 characters (255.255.255.255) and for IPv6 up to 39.
>
> tmp_buf is then advanced by (err + 1) using the full string length,
> which can push tmp_buf past tmp_buf_end. The next iteration's bounds
> check underflows due to unsigned arithmetic and passes, allowing a
> write past the end of the per-CPU bin_args buffer.
>
> Fix this by checking against the maximum formatted string size:
> 16 bytes for IPv4 and 40 bytes for IPv6.
>
> Fixes: 48cac3f4a96d ("bpf: Implement formatted output helpers with bstr_printf")
> Signed-off-by: Ibrahim Zein <zeroxjacks@gmail.com>
> ---
Please include a changelog whenever sending a new version. That's
typically the first thing I look at, to get an idea of the current
state.
> kernel/bpf/helpers.c | 2 +-
> .../bpf/prog_tests/test_snprintf_ip.c | 54 +++++++++++++
> .../selftests/bpf/progs/test_snprintf_ip.c | 78 +++++++++++++++++++
> 3 files changed, 133 insertions(+), 1 deletion(-)
> create mode 100644 tools/testing/selftests/bpf/prog_tests/test_snprintf_ip.c
> create mode 100644 tools/testing/selftests/bpf/progs/test_snprintf_ip.c
>
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index cb6d242bd..dcaa822ba 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -930,7 +930,7 @@ int bpf_bprintf_prepare(const char *fmt, u32 fmt_size, const u64 *raw_args,
> goto nocopy_fmt;
>
> sizeof_cur_ip = (fmt[i] == '4') ? 4 : 16;
> - if (tmp_buf_end - tmp_buf < sizeof_cur_ip) {
> + if (tmp_buf_end - tmp_buf < (size_t)((fmt[i] == '4') ? 16 : 40)) {
Maybe this code could be improved, but I don't think it's going to cause
an out-of-bounds write as the write into tmp_buf is done with snprintf.
> err = -ENOSPC;
> goto out;
> }
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_snprintf_ip.c b/tools/testing/selftests/bpf/prog_tests/test_snprintf_ip.c
> new file mode 100644
> index 000000000..5b000d6d1
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/test_snprintf_ip.c
This new test is always passing.
In addition, when adding selftests that cover your changes, it's
preferred to introduce them in a new patch.
[...]
next prev parent reply other threads:[~2026-03-19 14:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 12:49 [PATCH bpf-next v3] bpf: fix out-of-bounds write in bpf_bprintf_prepare with %pI4/%pI6 Ibrahim Zein
2026-03-19 14:47 ` Paul Chaignon [this message]
[not found] <20260319125800.0000-1-paul.chaignon@gmail.com>
2026-03-19 19:08 ` Ibrahim Zein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abwMniHt2AZcPBas@mail.gmail.com \
--to=paul.chaignon@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=revest@chromium.org \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
--cc=zeroxjacks@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.