On Wed, 2024-09-11 at 19:05 +0800, Hou Tao wrote:
[...]
> ---
> kernel/bpf/btf.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index a4e4f8d43ecf..9a4a074d26f5 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -3592,6 +3592,12 @@ static int btf_find_nested_struct(const struct btf *btf, const struct btf_type *
> info[i].off += off;
>
> if (nelems > 1) {
> + /* The type of struct size or variable size is u32,
> + * so the multiplication will not overflow.
> + */
> + if (ret * nelems > info_cnt)
> + return -E2BIG;
> +
> err = btf_repeat_fields(info, ret, nelems - 1, t->size);
> if (err == 0)
> ret *= nelems;
btf_repeat_fields(struct btf_field_info *info,
u32 field_cnt, u32 repeat_cnt, u32 elem_size)
copies field "field_cnt * repeat_cnt" times,
in this case field_cnt == ret, repeat_cnt == nelems - 1,
should the check be "ret * (nelems - 1) > info_cnt"?
I suggest to add info_cnt as a parameter of btf_repeat_fields() and do
this check there. So that the check won't be forgotten again if
btf_repeat_fields() is used elsewhere. Wdyt?
