libbpf: Guard add_data() against size overflow

add_data() computes size8 = roundup(size, 8) and then hands size8 to
realloc_data_buf() before doing memcpy(gen->data_cur, data, size) with
the original size. A wrapped size8 passes through the realloc_data_buf()
INT32_MAX check. Harden this against overflow, though not realistic to
happen in practice.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260602133052.423725-3-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/tools/lib/bpf/gen_loader.c b/tools/lib/bpf/gen_loader.c
index 66e13566bc31e52bd157a3765b94a5f634ea44dd..d79695f01c87f37b84179889399551487e9a2c4a 100644 (file)
--- a/tools/lib/bpf/gen_loader.c
+++ b/tools/lib/bpf/gen_loader.c
@@ -160,10 +160,16 @@ void bpf_gen__init(struct bpf_gen *gen, int log_level, int nr_progs, int nr_maps
 
 static int add_data(struct bpf_gen *gen, const void *data, __u32 size)
 {
-       __u32 size8 = roundup(size, 8);
        __u64 zero = 0;
+       __u32 size8;
        void *prev;
 
+       if (size > INT32_MAX) {
+               gen->error = -ERANGE;
+               return 0;
+       }
+       size8 = roundup(size, 8);
+
        if (realloc_data_buf(gen, size8))
                return 0;
        prev = gen->data_cur;