Re: [PATCH bpf-next v3] bpf: fix out-of-bounds write in bpf_bprintf_prepare with %pI4/%pI6

Thu, 19 Mar 2026 07:50:42 -0700 

On Thu, Mar 19, 2026 at 12:49:00PM +0000, Ibrahim Zein wrote:
> In bpf_bprintf_prepare(), the bounds check for %pI4 and %pI6 format
> specifiers uses sizeof_cur_ip (4 for IPv4, 16 for IPv6), which is the
> raw byte count of the IP address. However, snprintf() returns the
> length of the formatted string, not the raw bytes. For IPv4 this can
> be up to 15 characters (255.255.255.255) and for IPv6 up to 39.
> 
> tmp_buf is then advanced by (err + 1) using the full string length,
> which can push tmp_buf past tmp_buf_end. The next iteration's bounds
> check underflows due to unsigned arithmetic and passes, allowing a
> write past the end of the per-CPU bin_args buffer.
> 
> Fix this by checking against the maximum formatted string size:
> 16 bytes for IPv4 and 40 bytes for IPv6.
> 
> Fixes: 48cac3f4a96d ("bpf: Implement formatted output helpers with 
> bstr_printf")
> Signed-off-by: Ibrahim Zein <[email protected]>
> ---

Please include a changelog whenever sending a new version. That's
typically the first thing I look at, to get an idea of the current
state.

>  kernel/bpf/helpers.c                          |  2 +-
>  .../bpf/prog_tests/test_snprintf_ip.c         | 54 +++++++++++++
>  .../selftests/bpf/progs/test_snprintf_ip.c    | 78 +++++++++++++++++++
>  3 files changed, 133 insertions(+), 1 deletion(-)
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/test_snprintf_ip.c
>  create mode 100644 tools/testing/selftests/bpf/progs/test_snprintf_ip.c
> 
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index cb6d242bd..dcaa822ba 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -930,7 +930,7 @@ int bpf_bprintf_prepare(const char *fmt, u32 fmt_size, 
> const u64 *raw_args,
>                               goto nocopy_fmt;
>  
>                       sizeof_cur_ip = (fmt[i] == '4') ? 4 : 16;
> -                     if (tmp_buf_end - tmp_buf < sizeof_cur_ip) {
> +                     if (tmp_buf_end - tmp_buf < (size_t)((fmt[i] == '4') ? 
> 16 : 40)) {

Maybe this code could be improved, but I don't think it's going to cause
an out-of-bounds write as the write into tmp_buf is done with snprintf.

>                               err = -ENOSPC;
>                               goto out;
>                       }
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_snprintf_ip.c 
> b/tools/testing/selftests/bpf/prog_tests/test_snprintf_ip.c
> new file mode 100644
> index 000000000..5b000d6d1
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/test_snprintf_ip.c

This new test is always passing.

In addition, when adding selftests that cover your changes, it's
preferred to introduce them in a new patch.

[...]

Reply via email to