[PATCH 23/25] bpf/validate: prevent overflow when building graph

Marat Khalili marat.khalili at huawei.com
Wed May 6 19:38:41 CEST 2026

Previous message (by thread): [PATCH 22/25] bpf/validate: fix BPF_XOR signed min calculation
Next message (by thread): [PATCH 24/25] doc: add release notes for BPF validation fixes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Function `evst_pool_init` for malicious or corrupt BPF program with
number of conditional jumps exceeding a third of UINT32_MAX could cause
arithmetic and buffer overflows when working with the program graph.

Fix the issue by limiting maximum number of conditional jumps supported
by UINT32_MAX / 4, or more than 1 billion.

Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable at dpdk.org

Signed-off-by: Marat Khalili <marat.khalili at huawei.com>
---
 lib/bpf/bpf_validate.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 35b7d4ad83f6..23311a36d14e 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -2662,6 +2662,10 @@ evst_pool_init(struct bpf_verifier *bvf)
 {
 	uint32_t k, n;
 
+	if (bvf->nb_jcc_nodes > UINT32_MAX / 4)
+		/* Calculations that follow may overflow. */
+		return -E2BIG;
+
 	/*
 	 * We need nb_jcc_nodes + 1 for save_cur/restore_cur
 	 * remaining ones will be used for state tracking/pruning.
-- 
2.43.0

Previous message (by thread): [PATCH 22/25] bpf/validate: fix BPF_XOR signed min calculation
Next message (by thread): [PATCH 24/25] doc: add release notes for BPF validation fixes
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list