bpf: Validate BTF repeated field counts before expansion

btf_parse_struct_metas() walks user-supplied BTF during BPF_BTF_LOAD,
and btf_repeat_fields() expands repeatable fields from array elements
into the fixed BTF_FIELDS_MAX scratch array used by btf_parse_fields().

The remaining-capacity check performs the expanded field count calculation
in u32. A malformed BTF can wrap that calculation, causing the check to
pass even when the expanded field count exceeds the scratch array
capacity. The following memcpy() can then write past the end of the
array.

Use checked addition and multiplication before copying repeated fields
and reject impossible counts.

Fixes: 797d73ee232d ("bpf: Check the remaining info_cnt before repeating btf fields")
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moses <p@1g4.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/bpf/20260605234301.1109063-1-p@1g4.org
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index ef440227478645522f7ae142813cecfe3b0f3d4c..15ae7c43f594bebcf941760d7554732439e129ff 100644 (file)
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -3667,7 +3667,7 @@ end:
 static int btf_repeat_fields(struct btf_field_info *info, int info_cnt,
                             u32 field_cnt, u32 repeat_cnt, u32 elem_size)
 {
-       u32 i, j;
+       u32 i, j, total_cnt, total_repeats;
        u32 cur;
 
        /* Ensure not repeating fields that should not be repeated. */
@@ -3685,10 +3685,9 @@ static int btf_repeat_fields(struct btf_field_info *info, int info_cnt,
                }
        }
 
-       /* The type of struct size or variable size is u32,
-        * so the multiplication will not overflow.
-        */
-       if (field_cnt * (repeat_cnt + 1) > info_cnt)
+       if (check_add_overflow(repeat_cnt, 1, &total_repeats) ||
+           check_mul_overflow(field_cnt, total_repeats, &total_cnt) ||
+           total_cnt > (u32)info_cnt)
                return -E2BIG;
 
        cur = field_cnt;