bpf: fix out-of-bounds write in bpf_bprintf_prepare with %pI4/%pI6#11476
Closed
kernel-patches-daemon-bpf[bot] wants to merge 2 commits intobpf-next_basefrom
Closed
bpf: fix out-of-bounds write in bpf_bprintf_prepare with %pI4/%pI6#11476kernel-patches-daemon-bpf[bot] wants to merge 2 commits intobpf-next_basefrom
kernel-patches-daemon-bpf[bot] wants to merge 2 commits intobpf-next_basefrom
Conversation
Author
|
Upstream branch: 4a4fedb |
kernel-patches-daemon-bpf
Bot
force-pushed
the
bpf-next_base
branch
from
9f8e178 to
1857029
Compare
Author
|
Upstream branch: 350de5b |
kernel-patches-daemon-bpf
Bot
force-pushed
the
series/1069273=>bpf-next
branch
from
9ee5c39 to
b6d2d39
Compare
kernel-patches-daemon-bpf
Bot
force-pushed
the
bpf-next_base
branch
from
1857029 to
c0c253d
Compare
Author
|
Upstream branch: 4b21ea5 |
kernel-patches-daemon-bpf
Bot
force-pushed
the
series/1069273=>bpf-next
branch
from
b6d2d39 to
0b6082f
Compare
kernel-patches-daemon-bpf
Bot
force-pushed
the
bpf-next_base
branch
from
c0c253d to
bcc2ccd
Compare
Author
|
Upstream branch: 21337b5 |
In bpf_bprintf_prepare(), the bounds check for %pI4 and %pI6 format specifiers uses sizeof_cur_ip (4 for IPv4, 16 for IPv6), which is the raw byte count of the IP address. However, snprintf() returns the length of the formatted string, not the raw bytes. For IPv4 this can be up to 15 characters (255.255.255.255) and for IPv6 up to 39. tmp_buf is then advanced by (err + 1) using the full string length, which can push tmp_buf past tmp_buf_end. The next iteration's bounds check underflows due to unsigned arithmetic and passes, allowing a write past the end of the per-CPU bin_args buffer. Fix this by checking against the maximum formatted string size: 16 bytes for IPv4 and 40 bytes for IPv6. Fixes: 48cac3f ("bpf: Implement formatted output helpers with bstr_printf") Signed-off-by: Ibrahim Zein <zeroxjacks@gmail.com>
kernel-patches-daemon-bpf
Bot
force-pushed
the
series/1069273=>bpf-next
branch
from
0b6082f to
e9bb3c4
Compare
kernel-patches-daemon-bpf
Bot
force-pushed
the
bpf-next_base
branch
from
bcc2ccd to
5da949e
Compare
Author
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1069273 expired. Closing PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: fix out-of-bounds write in bpf_bprintf_prepare with %pI4/%pI6
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1069273