6.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park aha310510@gmail.com
[ Upstream commit bb6705c3f93bed2af03d43691743d4c43e3c8e6f ]
If the length of the name string is 1 and the value of name[0] is NULL byte, an OOB vulnerability occurs in btf_name_valid_section() and the return value is true, so the invalid name passes the check.
To solve this, you need to check if the first position is NULL byte and if the first character is printable.
Suggested-by: Eduard Zingerman eddyz87@gmail.com Fixes: bd70a8fb7ca4 ("bpf: Allow all printable characters in BTF DATASEC names") Signed-off-by: Jeongjun Park aha310510@gmail.com Link: https://lore.kernel.org/r/20240831054702.364455-1-aha310510@gmail.com Signed-off-by: Alexei Starovoitov ast@kernel.org Acked-by: Eduard Zingerman eddyz87@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- kernel/bpf/btf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index fe360b5b211d..2f157ffbc67c 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -817,9 +817,11 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset) const char *src = btf_str_by_offset(btf, offset); const char *src_limit;
+ if (!*src) + return false; + /* set a limit on identifier length */ src_limit = src + KSYM_NAME_LEN; - src++; while (*src && src < src_limit) { if (!isprint(*src)) return false;