From: Ibrahim Zein <zeroxjacks@gmail.com>
To: ast@kernel.org
Cc: daniel@iogearbox.net, martin.lau@linux.dev, andrii@kernel.org,
bpf@vger.kernel.org, Ibrahim Zein <zeroxjacks@gmail.com>
Subject: [PATCH] bpf: fix out-of-bounds write in bpf_bprintf_prepare with %pI4/%pI6
Date: Wed, 18 Mar 2026 18:20:13 -0400 [thread overview]
Message-ID: <20260318222013.2009349-1-ZeroXJacks@gmail.com> (raw)
From: Ibrahim Zein <zeroxjacks@gmail.com>
In bpf_bprintf_prepare(), the bounds check for %pI4 and %pI6 format
specifiers uses sizeof_cur_ip (4 for IPv4, 16 for IPv6), which is the
raw byte count of the IP address. However, snprintf() returns the
length of the formatted string, not the raw bytes. For IPv4 this can
be up to 15 characters ("255.255.255.255") and for IPv6 up to 39.
tmp_buf is then advanced by (err + 1) using the full string length,
which can push tmp_buf past tmp_buf_end. The next iteration's bounds
check underflows due to unsigned arithmetic and passes, allowing a
write past the end of the per-CPU bin_args buffer.
Fix this by checking against the maximum formatted string size instead
of the raw byte count: 16 bytes for IPv4 and 40 bytes for IPv6.
Signed-off-by: Ibrahim Zein <zeroxjacks@gmail.com>
---
--- a/kernel/bpf/helpers.c 2026-03-18 18:04:49.000000000 -0400
+++ b/kernel/bpf/helpers.c 2026-03-18 18:09:39.126681954 -0400
@@ -930,7 +930,7 @@
goto nocopy_fmt;
sizeof_cur_ip = (fmt[i] == '4') ? 4 : 16;
- if (tmp_buf_end - tmp_buf < sizeof_cur_ip) {
+ if (tmp_buf_end - tmp_buf < (size_t)((fmt[i] == '4') ? 16 : 40)) {
err = -ENOSPC;
goto out;
}
--- a/kernel/bpf/helpers.c 2026-03-18 18:04:49.000000000 -0400
+++ b/kernel/bpf/helpers.c 2026-03-18 18:09:39.126681954 -0400
@@ -930,7 +930,7 @@
goto nocopy_fmt;
sizeof_cur_ip = (fmt[i] == '4') ? 4 : 16;
- if (tmp_buf_end - tmp_buf < sizeof_cur_ip) {
+ if (tmp_buf_end - tmp_buf < (size_t)((fmt[i] == '4') ? 16 : 40)) {
err = -ENOSPC;
goto out;
}
next reply other threads:[~2026-03-18 22:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-18 22:20 Ibrahim Zein [this message]
2026-03-18 22:26 ` [PATCH] bpf: fix out-of-bounds write in bpf_bprintf_prepare with %pI4/%pI6 Alexei Starovoitov
-- strict thread matches above, loose matches on Subject: below --
2026-03-19 3:47 Ibrahim Zein
2026-03-19 4:29 ` bot+bpf-ci
2026-03-19 4:30 Ibrahim Zein
2026-03-19 15:23 ` Mykyta Yatsenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318222013.2009349-1-ZeroXJacks@gmail.com \
--to=zeroxjacks@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=martin.lau@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox