patch 'bpf/validate: fix BPF_LSH shift-out-of-bounds UB' has been queued to stable release 24.11.7

luca.boccassi at gmail.com luca.boccassi at gmail.com
Mon Jul 6 12:21:09 CEST 2026


Hi,

FYI, your patch has been queued to stable release 24.11.7

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/05/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/bedbb4cd966f6ce3bb3e66c0aa27f3a1840234c8

Thanks.

Luca Boccassi

---
>From bedbb4cd966f6ce3bb3e66c0aa27f3a1840234c8 Mon Sep 17 00:00:00 2001
From: Marat Khalili <marat.khalili at huawei.com>
Date: Wed, 24 Jun 2026 13:17:52 +0100
Subject: [PATCH] bpf/validate: fix BPF_LSH shift-out-of-bounds UB

[ upstream commit 42b1e624f3849a171f7e7074121b8f0b1b706550 ]

Function `eval_lsh` when validating left shift by 63 invoked macro
`RTE_LEN2MASK(0, int64_t)` which triggered shift-out-of-bounds undefined
behaviour.

E.g. consider the following program with the current validation code:

    Tested program:
        0:  mov r0, #0x0
        1:  ldxdw r2, [r1 + 0]
        2:  jlt r2, #0x3, L8
        3:  jgt r2, #0x5, L8
        4:  jslt r2, #0x3, L8
        5:  jsgt r2, #0x5, L8
        6:  lsh r2, #0x3f  ; tested instruction
        7:  mov r0, #0x1
        8:  exit
    Pre-state:
       r2:  3..5
    Post-state:
       r2:  0..UINT64_MAX

With sanitizer the following diagnostic is generated:

    lib/bpf/bpf_validate.c:785:4: runtime error: shift exponent 64 is
    too large for 64-bit type 'long unsigned int'
        #0 0x00000274d5e0 in eval_lsh lib/bpf/bpf_validate.c:785
        #1 0x00000275a2ea in eval_alu lib/bpf/bpf_validate.c:1310
        #2 0x00000276ce3d in evaluate lib/bpf/bpf_validate.c:3284

Add guard for this case, add test.

Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")

Reported-by: Claudia Cauli <claudiacauli at gmail.com>
Signed-off-by: Marat Khalili <marat.khalili at huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
---
 lib/bpf/bpf_validate.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index e7a6324ba5..9206122812 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -326,7 +326,8 @@ eval_lsh(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
 
 	/* check that dreg values are and would remain always positive */
 	if ((uint64_t)rd->s.min >> (opsz - 1) != 0 || rd->s.max >=
-			RTE_LEN2MASK(opsz - rs->u.max - 1, int64_t))
+			(rs->u.max == opsz - 1 ? 0 :
+				 RTE_LEN2MASK(opsz - rs->u.max - 1, int64_t)))
 		eval_smax_bound(rd, msk);
 	else {
 		rd->s.max <<= rs->u.max;
-- 
2.47.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-07-03 12:55:49.599038981 +0100
+++ 0077-bpf-validate-fix-BPF_LSH-shift-out-of-bounds-UB.patch	2026-07-03 12:55:46.726575450 +0100
@@ -1 +1 @@
-From 42b1e624f3849a171f7e7074121b8f0b1b706550 Mon Sep 17 00:00:00 2001
+From bedbb4cd966f6ce3bb3e66c0aa27f3a1840234c8 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 42b1e624f3849a171f7e7074121b8f0b1b706550 ]
+
@@ -38 +39,0 @@
-Cc: stable at dpdk.org
@@ -44,32 +45,3 @@
- app/test/test_bpf_validate.c | 17 +++++++++++++++++
- lib/bpf/bpf_validate.c       |  3 ++-
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
-index 40ed84ca67..55a2f383bd 100644
---- a/app/test/test_bpf_validate.c
-+++ b/app/test/test_bpf_validate.c
-@@ -1536,6 +1536,23 @@ test_alu64_div_mod_overflow(void)
- REGISTER_FAST_TEST(bpf_validate_alu64_div_mod_overflow_autotest, NOHUGE_OK, ASAN_OK,
- 	test_alu64_div_mod_overflow);
- 
-+/* 64-bit left shift by 63. */
-+static int
-+test_alu64_lsh_63(void)
-+{
-+	return verify_instruction((struct verify_instruction_param){
-+		.tested_instruction = {
-+			.code = (EBPF_ALU64 | BPF_LSH | BPF_K),
-+			.imm = 63,
-+		},
-+		.pre.dst = make_signed_domain(3, 5),
-+		.post.dst = unknown,
-+	});
-+}
-+
-+REGISTER_FAST_TEST(bpf_validate_alu64_lsh_63_autotest, NOHUGE_OK, ASAN_OK,
-+	test_alu64_lsh_63);
-+
- /* 64-bit multiplication of constant and immediate with overflow. */
- static int
- test_alu64_mul_k_overflow(void)
+ lib/bpf/bpf_validate.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
@@ -77 +49 @@
-index d4d8ec4251..4e4c0ddeb2 100644
+index e7a6324ba5..9206122812 100644
@@ -80 +52 @@
-@@ -746,7 +746,8 @@ eval_lsh(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
+@@ -326,7 +326,8 @@ eval_lsh(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,


More information about the stable mailing list