From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 254092F7EFF for ; Sun, 5 Jul 2026 22:39:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783291200; cv=none; b=CXPHFuoRD++iR4uQhF3/LvEcPdehdbPTGTzT/AxTgchrNW4dVQVf372nW4i0JPtRmHwT3jA7fyxQmFiOBH14MBqWhWIx7WF+pHgDMLaguOVeZRQJv4iPLqC/U+E7pSKrrYpZa1a0Lm4rfcJ4l7+6XR/Qe0K3ryU2ZPpPPc8+MHY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783291200; c=relaxed/simple; bh=PS2xAXVIuQtCbQz1pkLmtiWqjTlS3vlheexdkuqP46o=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=nkZmQrJ25D1sNCX/hb2s+UF73HRxJD/CmQD/XBMsGZMeSVY7dCsEJdB0Sg3Iw/nh6Y7iIlVdl1IcqwW+T1d7C/fR3j/ERxbr/k5sc4Mn7koGsrv/TWSqDU/JKWfIqpDasF2i9XbXQ6VIgXBrvzDEJ3zW6iQVHgERareCfvNbgZI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FVY+cHwr; arc=none smtp.client-ip=209.85.216.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FVY+cHwr" Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-381b831d535so2527520a91.0 for ; Sun, 05 Jul 2026 15:39:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783291198; x=1783895998; darn=vger.kernel.org; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:from:to:cc:subject :date:message-id:reply-to:content-type; bh=Gf/2ZnocWXbVZE2hJzu+IPJFR0h0FaQA/YYP7smERrg=; b=FVY+cHwrDtFh0x6w0tVQyL1nqTTDSDi3bobM1ugwPsKn36WRvOu0DEOgjYcMvUkrn9 UFvVjvBvT8u02xQiXXY0BUqGpyC3wbxZ8EDmDoXNl2vRlkYl0zlbO4pVmrLw+ZpPGwCn uMKErdVjr3XFTlUk5GhJDbp3pFOVF2odY4lIOj2EALPJqM9jIxwWLG8HTWop1VWoztmd /j94UuBDOthkp6OrKs7YKSo7HOocRT0UuONTaMN9gpuL/jwIDxpjsEivF2UX5pLBr6kK u96S8mKhh9xpn7agYmmRm6LSW9cZOkQBMWcABR2waoIec5S1DQW/psySfYXKALPUXmHn HAiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783291198; x=1783895998; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=Gf/2ZnocWXbVZE2hJzu+IPJFR0h0FaQA/YYP7smERrg=; b=m/yrgdtk3RgQdqzBmVO4ZUYGvCXitUkLmMEP2NUpksKXjD9fA0oT08t79HTDP9xshD OkwLvff0lU3sOznluKL6JgTDut0JNswQyx70BehmgVZw3LSgxpgcU1cqHCidJPabddok 0nsUscwoVc2EBYK2qioA+YPNQvxBJRgw6cfJgVFQA3aCPQmktSFw9oNpSpBYdS2t0n0A nInQNJsg1C9wh9qAiVZ8rezv/OrrSXy+f88REa+4wBIWq8XEOYHagJL9wBEEmquGISFy Ig1oZ8wdH8+O9h0A87/BWaDwXEX2/+OMSagKFkTZ0yNMxepNAb6v1XAHRw+SCc+DmRXN apHw== X-Forwarded-Encrypted: i=1; AHgh+Ro9F5/hwkoMtQOHjW48tKdwvlHGYx163NwMcRo4GwrjrxpiQJ0r3S72y5E5qNS4YKdpqrK5b2xPz9nXNhI=@vger.kernel.org X-Gm-Message-State: AOJu0YxmK6V884S81r5ftXMBqnhOnkQxzVtPx2gvqRi23VcyZJ1etRIO UVC48SVlPslNz66eW7t8M7DBw2bo20WaAWVKONhGRNiosRUlfxalP24Q X-Gm-Gg: AfdE7cmnCcpabN3Q/JFuON8jYUXvWJN6xw9gbRDzbQD2e9lrS1Edz2BFd3iGJvu1gIV u8oSf148yTFFkcth6nhc2r8FSY+twPMHrEA5Y3X6OppYnZXlmJrsEZflbwGN4gBe/JSw7gy2AMq dGQFbEr8rsbKzkSZ4+EqMND4wkMHDjz2oPeFRDvIWdK7pv+UOc9kWoXQ5ZlhgkR+mcaKG1lZE3I ZiX+4L980gXUvDdd+e/QqdMVmXJZBgfVSD5KArxYD2ryI4CbwohMS5G/u8iJx/mivfHPziRyPjd 9brAT78S3n30pD7tz5Ft59j8K491m29iY7Iaq3KwOlES990DPpmRINSzHY9fAuzFO1Ekd8BvbF5 3htXieltwgJecnmvrYs9lZEm1wLIZ8vBsPpEWZpv0tS4Ii/3My/40UXyfDvdYKvRLjTSYt8yY5O ChdviUHceOZk504MDvvcfRySh5yxhKZWV5CV8tG+7eFisUvLk= X-Received: by 2002:a17:90b:3c0f:b0:381:939e:adf0 with SMTP id 98e67ed59e1d1-3829fbd7827mr7796480a91.31.1783291198427; Sun, 05 Jul 2026 15:39:58 -0700 (PDT) Received: from computer ([2405:201:d015:d26b:41c5:151e:6e02:36c7]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-30f3b252222sm28162093eec.23.2026.07.05.15.39.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Jul 2026 15:39:58 -0700 (PDT) Date: Mon, 6 Jul 2026 04:09:50 +0530 From: Varun R Mallya To: Guangshuo Li Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi , Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , Emil Tsalapatis , bpf@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] libbpf: Check full backing type size for bitfield dump Message-ID: References: <20260705032603.275766-1-lgs201920130244@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260705032603.275766-1-lgs201920130244@gmail.com> On Sun, Jul 05, 2026 at 11:26:03AM +0800, Guangshuo Li wrote: > btf_dump_get_bitfield_value() builds a bitfield value by reading bytes > from the backing integer type. The bounds check added for short data > buffers uses the number of bytes covered by the bitfield itself, but the > read loop consumes the full backing type width. > > For narrow bitfields this can leave part of the backing type unchecked. > For example, a one-bit field backed by a four-byte integer only requires > one byte according to the bitfield span calculation, while the value > construction still reads four bytes. > > Check the backing type size instead, so the bounds check matches the > actual read range. > > Fixes: 5714ca8cba5e ("libbpf: Fix OOB read in btf_dump_get_bitfield_value") > Signed-off-by: Guangshuo Li > --- > tools/lib/bpf/btf_dump.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c > index cc1ba65bb6c5..a49790e356a8 100644 > --- a/tools/lib/bpf/btf_dump.c > +++ b/tools/lib/bpf/btf_dump.c > @@ -1771,7 +1771,7 @@ static int btf_dump_get_bitfield_value(struct btf_dump *d, > nr_bytes = (start_bit + bit_sz + 7) / 8; nr_bytes and the line before it are made obsolete due to your change and become an unused variable, so that would need cleanup, as sashiko correctly pointed out. > /* Bound check */ > - if (data + nr_bytes > d->typed_dump->data_end) > + if (data + t->size > d->typed_dump->data_end) The fix does not seem right to me. This will reject something like: struct packed_int8 { int a:8; } __attribute__((packed)); with BTF output like: STRUCT 'packed_int8' size=1 'a' type_id=2 bits_offset=0 bitfield_size=8 INT 'int' size=4 As you can see, this valid object has a size of 1 but BTF type has size 4. nr_bytes (the old one), would get calculated as 1, and t->size would show up as 4. This will unncessarily reject valid data. I do understand the concern with the loops below using t->size but the check happening on a value calculated separately, and this can actually trigger an OOB. You could maybe try fixing the loops instead by handling packed bitfields (like the case I gave) specially, but making the check more strict is something I don't think is helpful. > return -E2BIG; > > /* Maximum supported bitfield size is 64 bits */ > -- > 2.43.0 >