Currently, btf_name_valid_identifier() and btf_name_valid_section() are written in a while loop and use pointer operations, so it takes a long time to understand the operation of the code. Therefore, I suggest refactoring the code to make it easier to maintain. In addition, btf_name_valid_section() does not check for the case where src[0] is a NULL value, resulting in an out-of-bounds vuln. Therefore, a check for this should be added. Reported-by: Jeongjun Park <aha310510@xxxxxxxxx> Fixes: bd70a8fb7ca4 ("bpf: Allow all printable characters in BTF DATASEC names") Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx> --- kernel/bpf/btf.c | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index 674b38c33c74..c1e2aead9141 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -794,21 +794,18 @@ static bool btf_name_valid_identifier(const struct btf *btf, u32 offset) { /* offset must be valid */ const char *src = btf_str_by_offset(btf, offset); - const char *src_limit; + int i; - if (!__btf_name_char_ok(*src, true)) + if (!__btf_name_char_ok(src[0], true)) return false; /* set a limit on identifier length */ - src_limit = src + KSYM_NAME_LEN; - src++; - while (*src && src < src_limit) { - if (!__btf_name_char_ok(*src, false)) + for (i = 1; i < KSYM_NAME_LEN && src[i]; i++) { + if (!__btf_name_char_ok(src[i], false)) return false; - src++; } - return !*src; + return !src[i]; } /* Allow any printable character in DATASEC names */ @@ -816,18 +813,18 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset) { /* offset must be valid */ const char *src = btf_str_by_offset(btf, offset); - const char *src_limit; + int i; + + if (!src[0]) + return false; /* set a limit on identifier length */ - src_limit = src + KSYM_NAME_LEN; - src++; - while (*src && src < src_limit) { - if (!isprint(*src)) + for (i = 1; i < KSYM_NAME_LEN && src[i]; i++) { + if (!isprint(src[i])) return false; - src++; } - return !*src; + return !src[i]; } static const char *__btf_name_by_offset(const struct btf *btf, u32 offset) --