From nobody Sun Feb 8 06:04:28 2026 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 18E372D6E66 for ; Tue, 6 Jan 2026 23:36:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767742582; cv=none; b=uxSWShivRf2HnXtZyKh0j0/gB1CDnVp2B7uXAL+tcSzV6KxGl6V3OA1fXQh0a2wP65sA6nqMA12FxpjZbqcrEOwcI/SzTyGA7Mw6v/whtRtaIGEs+uIznv3Zt1lwKZwlJk6smzIjLDq68Dc1SnslYb97PIMm+TMurUM4q1pALcg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767742582; c=relaxed/simple; bh=PmKk0/DE9rbjasdjCg739Y/gIaZy0D5eB8rt1eVm8OU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=tOtZXAhUafe94hG+gDmuFY2xVuHbRAhb0q3v6ybr2X5LnYy9ZIW/lDqu97JBkCCp1yUgXAHpygX5UedRCe6pSqcAWScLvvtkwgbvhzk+HlSQAxG8iXfIT3wMd/xU7bYMmz2SZ9qgz2WyloLFBrU4jON4IqCPKDstm+XC6XoQ1vg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=chbx8dxM; arc=none smtp.client-ip=209.85.214.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="chbx8dxM" Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2a081c163b0so12171245ad.0 for ; Tue, 06 Jan 2026 15:36:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767742580; x=1768347380; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=oO/UPmm3boDoo4REewsitXgH+S5y5QMnzcd9leEp7bI=; b=chbx8dxMJEU7psoE6blQ/UIcNDoib1LNoO5jruPhxPhKCklEoL5Yofy4MbZcJtMV0Y KJSxBkfgrHK/mWMMPBIGjqWcN7ewqnDlVqhpb1hcgKGQmcPyAfQBRD6SIYz7k0GOKjqk LDqk48yrbkad3qUiedC8cZCo6m3CBNgmnrCH8T0qC+y9gijooiFH3LNQwSVq9lMIGKO7 ympXFA6oyBgux1tONa7uAm9OBSVHzBKopj2/kr+lwfbEew13xWeflLPUQeXoek5Bl0qi 0xp9t96XQVNc1x12PABmXetOZ954TQgK5zEbhDwAiTihCxnQyRPx6A0YxAECpn1H0xqT mbfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767742580; x=1768347380; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=oO/UPmm3boDoo4REewsitXgH+S5y5QMnzcd9leEp7bI=; b=aRoehgWCKrucMUNzy3mtXgFM+9XhNktP4t8kp4x/svD7vq8lTQoXsp0We/7X4X4fe4 vyIUoQs3JzQTYwXixjdpT2QD3SngNtMwRgXeZ2jiV49HB4Nj/CGQwQ0EWSHiodO9MiE+ vBj6r3xwdEasA4Pv/4CX1SiezpSuJ1xT11lyBCWnUmS0ZmgbgGXjlVYRXDXo743bhdmi J7ERlaQEYfa/VK/bi8p7MEJPesExFeXe4zj+L+aHQgCYBN0sQQUbFhO7oxAiu7hgk3S5 lj5BRvtFTJUCmyVO5hb6dGjvEi8wgmATRE03gNJBZoXJQH/qb+wCAI/DM+vH+nWy4kX1 Z/eQ== X-Forwarded-Encrypted: i=1; AJvYcCX/6c7bnZPkfX+7dtZ65sXATgKu9FOlwVK6PFtZpa0VqZCm5CKC/kWpJLS1nbRQQjqW+tDOj71cBYN4rnA=@vger.kernel.org X-Gm-Message-State: AOJu0YzhP5+ywQxgr0YV3Ip2GhAxEKUAgBA3BV64y55EqKFWsWortPbU w7rs/1i4hKbxgv2SjRVUcayzJQWsh9sJeOyhUUMOsnWC0NaasXYBy0Rx X-Gm-Gg: AY/fxX41i7ZLQCB7S0qZUaV2ikDkJzhe8AUrrBhbtpOPSBhd0pOBqbjUGAcD6gumJCf eP3rEkBxcvLYdowOj0v1+eETmlPBb41uY5HT2MWghbop+k6UT8uiiAEvI5aCoIIRi2xdky+2xdT 52257doDCUHt/dgnOfGTOsNy2y6XlS2/84ITo6K6ZT6h1D5jXasMiCNO8gZW4+IItyZPRTmjyqo gpLwyIyFO4i4LkC+WUHuFWXmvFjGoQxpSJoh3unoSpPLSuVjbOYco2eP972Mfj3clLDbpSxX9e4 aG4u1ud9ixF0NxJf7hfMHSYEigGeJpsDFXTMWu+kmql/ZAlYbsLoFT3cu8OuS9vhH9H+orV8Lts aqhAcV7Qj2pxkBb6+dxapfnq5RaipdVepVALHJhP1bLPb30MyXDibShBZV+skwUxq9JXu2alhI/ PfHhlCemYkpi0z5oIge/ft3OrU X-Google-Smtp-Source: AGHT+IFumtloUmQ/At9choLtKt9RHd50AG/q0g5r4FD4Gxrbgaw0U1sdY0Ss0gw/EID8xTLDUQ4iAg== X-Received: by 2002:a17:902:f682:b0:2a0:a33f:3049 with SMTP id d9443c01a7336-2a3ee40e4a6mr5017885ad.4.1767742580314; Tue, 06 Jan 2026 15:36:20 -0800 (PST) Received: from computer.goose-salary.ts.net ([2a09:bac5:3b4e:11cd::1c6:10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cb2debsm31964935ad.65.2026.01.06.15.36.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jan 2026 15:36:20 -0800 (PST) From: Varun R Mallya To: andrii@kernel.org, alan.maguire@oracle.com Cc: ast@kernel.org, daniel@iogearbox.net, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, varunrmallya@gmail.com, Harrison Green Subject: [PATCH bpf] libbpf: Fix OOB read in btf_dump_get_bitfield_value Date: Wed, 7 Jan 2026 05:05:27 +0530 Message-ID: <20260106233527.163487-1-varunrmallya@gmail.com> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When dumping bitfield data, btf_dump_get_bitfield_value() reads data based on the underlying type's size (t->size). However, it does not verify that the provided data buffer (data_sz) is large enough to contain these bytes. If btf_dump__dump_type_data() is called with a buffer smaller than the type's size, this leads to an out-of-bounds read. This was confirmed by AddressSanitizer in the linked issue. Fix this by ensuring we do not read past the provided data_sz limit. Fixes: a1d3cc3c5eca ("libbpf: Avoid use of __int128 in typed dump display") Reported-by: Harrison Green Closes: https://github.com/libbpf/libbpf/issues/928 Suggested-by: Alan Maguire Signed-off-by: Varun R Mallya --- tools/lib/bpf/btf_dump.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c index 6388392f49a0..53c6624161d7 100644 --- a/tools/lib/bpf/btf_dump.c +++ b/tools/lib/bpf/btf_dump.c @@ -1762,9 +1762,18 @@ static int btf_dump_get_bitfield_value(struct btf_du= mp *d, __u16 left_shift_bits, right_shift_bits; const __u8 *bytes =3D data; __u8 nr_copy_bits; + __u8 start_bit, nr_bytes; __u64 num =3D 0; int i; =20 + /* Calculate how many bytes cover the bitfield */ + start_bit =3D bits_offset % 8; + nr_bytes =3D (start_bit + bit_sz + 7) / 8; + + /* Bound check */ + if (data + nr_bytes > d->typed_dump->data_end) + return -E2BIG; + /* Maximum supported bitfield size is 64 bits */ if (t->size > 8) { pr_warn("unexpected bitfield size %d\n", t->size); --=20 2.52.0