libbpf: Fix OOB read in btf_dump_get_bitfield_value

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When dumping bitfield data, btf_dump_get_bitfield_value() reads data
based on the underlying type's size (t->size). However, it does not
verify that the provided data buffer (data_sz) is large enough to
contain these bytes.

If btf_dump__dump_type_data() is called with a buffer smaller than
the type's size, this leads to an out-of-bounds read. This was
confirmed by AddressSanitizer in the linked issue.

Fix this by ensuring we do not read past the provided data_sz limit.

Fixes: a1d3cc3c5eca ("libbpf: Avoid use of __int128 in typed dump display")
Reported-by: Harrison Green <harrisonmichaelgreen@gmail.com>
Suggested-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: Varun R Mallya <varunrmallya@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20260106233527.163487-1-varunrmallya@gmail.com

Closes: https://github.com/libbpf/libbpf/issues/928

authored by

Varun R Mallya and committed by

Andrii Nakryiko 4 months ago 5714ca8c 4effccde

1 changed file

expand all

tools

lib

bpf

btf_dump.c

tools/lib/bpf/btf_dump.c

··· 1762 1762 __u16 left_shift_bits, right_shift_bits; 1763 1763 const __u8 *bytes = data; 1764 1764 __u8 nr_copy_bits; 1765 + __u8 start_bit, nr_bytes; 1765 1766 __u64 num = 0; 1766 1767 int i; 1768 + 1769 + /* Calculate how many bytes cover the bitfield */ 1770 + start_bit = bits_offset % 8; 1771 + nr_bytes = (start_bit + bit_sz + 7) / 8; 1772 + 1773 + /* Bound check */ 1774 + if (data + nr_bytes > d->typed_dump->data_end) 1775 + return -E2BIG; 1767 1776 1768 1777 /* Maximum supported bitfield size is 64 bits */ 1769 1778 if (t->size > 8) {

Configure Feed

Configure Feed