libbpf: Fix out-of-bound read

nandedamana · jfvogel · commit 22c601d61b10 · 2025-06-02T22:54:26.000-07:00
[ Upstream commit 236d3910117e9f97ebf75e511d8bcc950f1a4e5f ] In `set_kcfg_value_str`, an untrusted string is accessed with the assumption that it will be at least two characters long due to the presence of checks for opening and closing quotes. But the check for the closing quote (value[len - 1] != '"') misses the fact that it could be checking the opening quote itself in case of an invalid input that consists of just the opening quote. This commit adds an explicit check to make sure the string is at least two characters long. Signed-off-by: Nandakumar Edamana <nandakumar@nandakumar.co.in> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20250221210110.3182084-1-nandakumar@nandakumar.co.in Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2c600cbe33f2072b218037895b58753cc49e5e97) Signed-off-by: Jack Vogel <jack.vogel@oracle.com>
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
@@ -2074,7 +2074,7 @@ static int set_kcfg_value_str(struct extern_desc *ext, char *ext_val,
 	}
 
 	len = strlen(value);
-	if (value[len - 1] != '"') {
+	if (len < 2 || value[len - 1] != '"') {
 		pr_warn("extern (kcfg) '%s': invalid string config '%s'\n",
 			ext->name, value);
 		return -EINVAL;

Original file line number	Diff line number	Diff line change
`@@ -2074,7 +2074,7 @@ static int set_kcfg_value_str(struct extern_desc ext, char ext_val,`
`2074`	`2074`	`}`
`2075`	`2075`
`2076`	`2076`	`len = strlen(value);`
`2077`		`- if (value[len - 1] != '"') {`
	`2077`	`+ if (len < 2 \|\| value[len - 1] != '"') {`
`2078`	`2078`	`pr_warn("extern (kcfg) '%s': invalid string config '%s'\n",`
`2079`	`2079`	`ext->name, value);`
`2080`	`2080`	`return -EINVAL;`