patch 'bpf/validate: fix BPF_MUL signed overflow UB' has been queued to stable release 24.11.7
luca.boccassi at gmail.com
luca.boccassi at gmail.com
Mon Jul 6 12:21:05 CEST 2026
Hi,
FYI, your patch has been queued to stable release 24.11.7
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/05/26. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable
This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/73f1a73e02655a3eba7ad94712cf2a39beb995d4
Thanks.
Luca Boccassi
---
>From 73f1a73e02655a3eba7ad94712cf2a39beb995d4 Mon Sep 17 00:00:00 2001
From: Marat Khalili <marat.khalili at huawei.com>
Date: Wed, 24 Jun 2026 13:17:47 +0100
Subject: [PATCH] bpf/validate: fix BPF_MUL signed overflow UB
[ upstream commit cc205e72e6c3bcffa45422f218b29d17cdb734bb ]
Function `eval_mul` triggered signed overflow for large constants.
E.g. consider the following program with the current validation code:
Tested program:
0: mov r0, #0x0
1: lddw r2, #0x9876543210
3: mul r2, #0x12345678 ; tested instruction
4: mov r0, #0x1
5: exit
With sanitizer the following diagnostic is generated:
lib/bpf/bpf_validate.c:1032:26: runtime error: signed integer
overflow: 654820258320 * 305419896 cannot be represented in type
'long int'
#0 0x000002746bfd in eval_mul lib/bpf/bpf_validate.c:1032
#1 0x00000274b6ac in eval_alu lib/bpf/bpf_validate.c:1260
#2 0x00000275c526 in evaluate lib/bpf/bpf_validate.c:3174
...
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
lib/bpf/bpf_validate.c:1032:26
Multiply constants as unsigned which will produce mathematically correct
result in two's complement representation, add test.
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Reported-by: Claudia Cauli <claudiacauli at gmail.com>
Signed-off-by: Marat Khalili <marat.khalili at huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
---
lib/bpf/bpf_validate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 2e42d3ceb1..20428393d9 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -513,8 +513,8 @@ eval_mul(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
/* both operands are constants */
if (rd->s.min == rd->s.max && rs->s.min == rs->s.max) {
- rd->s.min = (rd->s.min * rs->s.min) & msk;
- rd->s.max = (rd->s.max * rs->s.max) & msk;
+ rd->s.min = ((uint64_t)rd->s.min * (uint64_t)rs->s.min) & msk;
+ rd->s.max = ((uint64_t)rd->s.max * (uint64_t)rs->s.max) & msk;
/* check that both operands are positive and no overflow */
} else if (rd->s.min >= 0 && rs->s.min >= 0) {
rd->s.max *= rs->s.max;
--
2.47.3
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2026-07-03 12:55:49.450598293 +0100
+++ 0073-bpf-validate-fix-BPF_MUL-signed-overflow-UB.patch 2026-07-03 12:55:46.722575344 +0100
@@ -1 +1 @@
-From cc205e72e6c3bcffa45422f218b29d17cdb734bb Mon Sep 17 00:00:00 2001
+From 73f1a73e02655a3eba7ad94712cf2a39beb995d4 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit cc205e72e6c3bcffa45422f218b29d17cdb734bb ]
+
@@ -34 +35,0 @@
-Cc: stable at dpdk.org
@@ -40,32 +41,3 @@
- app/test/test_bpf_validate.c | 17 +++++++++++++++++
- lib/bpf/bpf_validate.c | 4 ++--
- 2 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
-index e908101192..ae28e85a29 100644
---- a/app/test/test_bpf_validate.c
-+++ b/app/test/test_bpf_validate.c
-@@ -1289,6 +1289,23 @@ test_alu64_div_mod_overflow(void)
- REGISTER_FAST_TEST(bpf_validate_alu64_div_mod_overflow_autotest, NOHUGE_OK, ASAN_OK,
- test_alu64_div_mod_overflow);
-
-+/* 64-bit multiplication of constant and immediate with overflow. */
-+static int
-+test_alu64_mul_k_overflow(void)
-+{
-+ return verify_instruction((struct verify_instruction_param){
-+ .tested_instruction = {
-+ .code = (EBPF_ALU64 | BPF_MUL | BPF_K),
-+ .imm = 0x12345678,
-+ },
-+ .pre.dst = make_singleton_domain(0x9876543210),
-+ .post.dst = make_singleton_domain(0x9876543210u * 0x12345678),
-+ });
-+}
-+
-+REGISTER_FAST_TEST(bpf_validate_alu64_mul_k_overflow_autotest, NOHUGE_OK, ASAN_OK,
-+ test_alu64_mul_k_overflow);
-+
- /* 64-bit mul of small scalar range and immediate. */
- static int
- test_alu64_mul_k_range_small(void)
+ lib/bpf/bpf_validate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
@@ -73 +45 @@
-index 08717671a8..2b73e36288 100644
+index 2e42d3ceb1..20428393d9 100644
@@ -76 +48 @@
-@@ -921,8 +921,8 @@ eval_mul(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
+@@ -513,8 +513,8 @@ eval_mul(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
More information about the stable
mailing list