| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_1F9A6FB02D856F9C9550E80AEC3ECD30790A@qq.com>
Date: Thu, 8 Jan 2026 11:52:00 +0800
From: Edward Adam Davis <eadavis@...com>
To: alexei.starovoitov@...il.com
Cc: andrii@...nel.org,
ast@...nel.org,
bpf@...r.kernel.org,
daniel@...earbox.net,
eadavis@...com,
eddyz87@...il.com,
haoluo@...gle.com,
john.fastabend@...il.com,
jolsa@...nel.org,
kpsingh@...nel.org,
linux-kernel@...r.kernel.org,
martin.lau@...ux.dev,
netdev@...r.kernel.org,
sdf@...ichev.me,
song@...nel.org,
syzbot+2c29addf92581b410079@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com,
yonghong.song@...ux.dev
Subject: Re: [PATCH] bpf: Format string can't be empty
On Wed, 7 Jan 2026 19:02:37 -0800, Alexei Starovoitov <alexei.starovoitov@...il.com> wrote:
> > diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> > index db72b96f9c8c..88da2d0e634c 100644
> > --- a/kernel/bpf/helpers.c
> > +++ b/kernel/bpf/helpers.c
> > @@ -827,7 +827,7 @@ int bpf_bprintf_prepare(const char *fmt, u32 fmt_size, const u64 *raw_args,
> > char fmt_ptype, cur_ip[16], ip_spec[] = "%pXX";
> >
> > fmt_end = strnchr(fmt, fmt_size, 0);
> > - if (!fmt_end)
> > + if (!fmt_end || fmt_end == fmt)
> > return -EINVAL;
>
> I don't think you root caused it correctly.
> The better fix and analysis:
I am keeping my analysis and patch.
The root cause of the problem is that the format string does not contain
a null terminator ('\0').
Filtering out map type 0x22 to solve the problem is too hasty, as it
would prevent all instructions from calling functions with constant
string arguments.
Powered by blists - more mailing lists