From nobody Sun May 24 19:33:57 2026 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F206B2494F0 for ; Sat, 23 May 2026 07:47:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779522463; cv=none; b=gefXz9uJwglRbwPVkrWWfE5ppd519lavbBTOS5e875c6Ytj5iRPLP+MFs3fqKtpyUsTxxGSNydYg022VMy9AuHW6Cpcx+i1G0UV67ZhYNHOuDmqjEFKRU8zCUMxEY07gf/j2cUYuZhLZ7cVerFoAqvCwwTH2zSYAIbZGfwj0Ouc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779522463; c=relaxed/simple; bh=PfOZOqf/Waxp0fKjVOuhbKDiF6dKL6Sj8HRebM4Q1V0=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Ri8LLhZAH+O7y7mdpv51IFgc9lC15iq7h0dZbRvwM4nnRZAgUk83vYlmx1Yvm2/xKKgKGeOlTVi7bZ5yyJtptb2O0O1T/1rF0RaXliRU3lbA2QQJzz7Bh57AgUidPtqxYeacTBNGHKr69Q5iFRy4uzammZTI9zdveJx97GSzFog= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=C8vswjWY; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="C8vswjWY" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-48e8132c6d0so51093145e9.1 for ; Sat, 23 May 2026 00:47:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779522460; x=1780127260; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=886s+5LC/+p5MSUDP6l54CeyLMiGkzDEGBKqbzvyzIg=; b=C8vswjWYTSTgt0ItAXi+dBNod4df/o7FqIaU8FKVnpt3Dh14uc9NfZbOiNn0Eyxgcr DBLaa7T9VjInc/efs2Vf0NhOmxfWRPeY0TkIz8VBXrW2TpyCC8sgoLM/G/zb2HLoWG8B 18+qDpXIDbBpcN9IQAbNWTHD/MqQLJE7sfJCgtp08AVo6YiyAgBtCOvphqkK15yVUes4 +mh/z12rFI/vPb5onYYfFRhjpIXE5HUNZJTCeClaR2j2113oQKzFHmd4Qd3ju8FcV3RG 7xrAM1KkQO5Wmnvd+qUYeaBaKk+Fc/T8aFXIip7mQWcjk8fG9wR58BqZK4PG+ybB0Y36 SJ4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779522460; x=1780127260; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=886s+5LC/+p5MSUDP6l54CeyLMiGkzDEGBKqbzvyzIg=; b=T00lBibl3qrKUgEibsHmd0Xg2Ium09Hy/vVfK37bppXzpOaKWyAfd++6/sxNjDZ5s2 Ee9PcWWF7qcWgl+62pCt2VbhI3kQI765AiOxSOIpOnfSWEK4KBBa+DcGok3dn3IrI/rA RCt3jIGwiOIDjXMsA1iYYtbEjvlpJVXYHxSTuemlJ+FYyeeW2IdgdB+CkI/VbR1j84ER gPyn6K2oqR2QsMCB7avCiK+S51/t3PpOnJ09Ya6Fq9Qtqmg+7J569PHlo+cb+Rr+BAn/ rROVy9IETf1+1MV7DDZTDC95JOxW2MqvOWDngwWvLEto8aE1z4ZMlaY197s/1ENalllp P4gQ== X-Forwarded-Encrypted: i=1; AFNElJ+OumMrNMFxOvG20U1k0LwJojsIrdm2oBjFn8r/ouM5rnC6qvDj+Z3HASszwctn5yu7A6acavcBfg2Kh78=@vger.kernel.org X-Gm-Message-State: AOJu0Yy6tCDnmVAG8UjA/shtOOY8hFY2qQtXzRSJbqzBxKCbIx7YWHB0 +V70a24y2mW4o+KrBF6DH/VTsJshUNlg1qDx0B5nIkt7SWlgSzvdlBsx X-Gm-Gg: Acq92OH5GGFfHplCoZ4m/gcbrv0aJCaKeZjv4gLNteYNf4BULSvMizfb7wOtxYH+U/V cDvz3MlMCPOStvTaMiWLakHRty7jS8BXrhrUMsKuyhPA4v0aGJ5/fKXIIXTZGDJFM38P7Nii3uj mofH4S9sVK/0DqgwLs+RiTwf+G+21vwLRetGvOHnoBVCsd+qF26HTh/ev850WXgASXn7/akwP/p fl4SlkYL9vazN59e8+9IIziSWztStUQiXTd8sDTKxNBJFAFD7MC6GP0JzIxhRIZWjnpDXPRUwbl ONbEQKO9WXnDV+v1oN9CHnpF7eqgwi1M9EmXzDag9tdxqPexSEze3WwM+sQKtjeFgm8Q6ow7CmI dv8ttwQwO0goAdMljViLu4rWkNSH85iMUJSGu3CTwMXrm/3BzstS0jCzKqMXxd1bKCpHrF8hxPH zPG0reO79bptD56qg1S+KNWqtfWHqHNCvtUx4bexQDBXhTHc4j2lfrBgfgBH9lNx0k1OW5+6zWh YZt6W6gExbtYHTGL/pWAC0hQr1oPVDK/MDMbJpyUrSiS8/gDQSonEFVtG3XwgFZMsKEOlzy+UuC cN4uYb3ccyOYsA== X-Received: by 2002:a05:600c:5298:b0:48f:e230:c3fb with SMTP id 5b1f17b1804b1-490428ddd40mr103713885e9.33.1779522460245; Sat, 23 May 2026 00:47:40 -0700 (PDT) Received: from localhost.localdomain ([149.22.234.166]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-490424974a8sm49822375e9.4.2026.05.23.00.47.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 May 2026 00:47:39 -0700 (PDT) From: Himanshu Anand To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, Himanshu Anand Subject: [PATCH bpf v2] bpf: Add nelems overflow check in btf_find_field_one() Date: Sat, 23 May 2026 08:47:36 +0100 Message-Id: <20260523074736.222994-1-anand.himanshu17@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" btf_find_field_one() multiplies a u32 nelems accumulator by each nested array level's element count without checking for overflow. The sibling function __btf_resolve_size() already guards against the same overflow pattern (btf.c line 2110). Currently the BTF array verifier (btf_array_resolve) rejects BTF blobs whose total array size would overflow u32, so this code path is not reachable with crafted BTF input on kernels that include that check. Add check_mul_overflow() anyway to keep btf_find_field_one() self-consistent with __btf_resolve_size() and to guard against future changes in the validation ordering. Fixes: 994796c0256c ("bpf: create repeated fields for arrays.") Signed-off-by: Himanshu Anand --- kernel/bpf/btf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index a62d78581207..b767a9fcf095 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -3765,7 +3765,8 @@ static int btf_find_field_one(const struct btf *btf, */ for (i =3D 0; i < MAX_RESOLVE_DEPTH && btf_type_is_array(var_type); i++) { array =3D btf_array(var_type); - nelems *=3D array->nelems; + if (check_mul_overflow(nelems, array->nelems, &nelems)) + return -E2BIG; var_type =3D btf_type_by_id(btf, array->type); } if (i =3D=3D MAX_RESOLVE_DEPTH) --=20 2.34.1