patch 'bpf/validate: prevent overflow when building graph' has been queued to stable release 24.11.7

luca.boccassi at gmail.com luca.boccassi at gmail.com
Mon Jul 6 12:21:13 CEST 2026


Hi,

FYI, your patch has been queued to stable release 24.11.7

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/05/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/6ea04bacafb19aa6ef54eb7e252bce8497d1639a

Thanks.

Luca Boccassi

---
>From 6ea04bacafb19aa6ef54eb7e252bce8497d1639a Mon Sep 17 00:00:00 2001
From: Marat Khalili <marat.khalili at huawei.com>
Date: Wed, 24 Jun 2026 13:17:56 +0100
Subject: [PATCH] bpf/validate: prevent overflow when building graph

[ upstream commit 1ad243a134be6109b0b8f969a0154186997ff935 ]

Function `evst_pool_init` for malicious or corrupt BPF program with
number of conditional jumps exceeding a third of UINT32_MAX could cause
arithmetic and buffer overflows when working with the program graph.

Fix the issue by limiting maximum number of conditional jumps supported
by UINT32_MAX / 4, or more than 1 billion.

Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")

Reported-by: Claudia Cauli <claudiacauli at gmail.com>
Signed-off-by: Marat Khalili <marat.khalili at huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
---
 lib/bpf/bpf_validate.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index cc8a4baf4b..4ceb31dbd0 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -2187,6 +2187,10 @@ evst_pool_init(struct bpf_verifier *bvf)
 {
 	uint32_t k, n;
 
+	if (bvf->nb_jcc_nodes > UINT32_MAX / 4)
+		/* Calculations that follow may overflow. */
+		return -E2BIG;
+
 	/*
 	 * We need nb_jcc_nodes + 1 for save_cur/restore_cur
 	 * remaining ones will be used for state tracking/pruning.
-- 
2.47.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-07-03 12:55:49.745288783 +0100
+++ 0081-bpf-validate-prevent-overflow-when-building-graph.patch	2026-07-03 12:55:46.730575555 +0100
@@ -1 +1 @@
-From 1ad243a134be6109b0b8f969a0154186997ff935 Mon Sep 17 00:00:00 2001
+From 6ea04bacafb19aa6ef54eb7e252bce8497d1639a Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 1ad243a134be6109b0b8f969a0154186997ff935 ]
+
@@ -14 +15,0 @@
-Cc: stable at dpdk.org
@@ -24 +25 @@
-index 03c590c753..f9960088a2 100644
+index cc8a4baf4b..4ceb31dbd0 100644
@@ -27 +28 @@
-@@ -2662,6 +2662,10 @@ evst_pool_init(struct bpf_verifier *bvf)
+@@ -2187,6 +2187,10 @@ evst_pool_init(struct bpf_verifier *bvf)


More information about the stable mailing list