Commit 5714ca8c authored Jan 07, 2026 by Varun R Mallya Committed by Andrii Nakryiko Jan 09, 2026

libbpf: Fix OOB read in btf_dump_get_bitfield_value



When dumping bitfield data, btf_dump_get_bitfield_value() reads data
based on the underlying type's size (t->size). However, it does not
verify that the provided data buffer (data_sz) is large enough to
contain these bytes.

If btf_dump__dump_type_data() is called with a buffer smaller than
the type's size, this leads to an out-of-bounds read. This was
confirmed by AddressSanitizer in the linked issue.

Fix this by ensuring we do not read past the provided data_sz limit.

Fixes: a1d3cc3c ("libbpf: Avoid use of __int128 in typed dump display")
Reported-by: Harrison Green <harrisonmichaelgreen@gmail.com>
Suggested-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: Varun R Mallya <varunrmallya@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20260106233527.163487-1-varunrmallya@gmail.com

Closes: https://github.com/libbpf/libbpf/issues/928

parent 4effccde

tools/lib/bpf/btf_dump.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -1762,9 +1762,18 @@ static int btf_dump_get_bitfield_value(struct btf_dump *d,
		__u16 left_shift_bits, right_shift_bits;
		const __u8 *bytes = data;
		__u8 nr_copy_bits;
		__u8 start_bit, nr_bytes;
		__u64 num = 0;
		int i;

		/* Calculate how many bytes cover the bitfield */
		start_bit = bits_offset % 8;
		nr_bytes = (start_bit + bit_sz + 7) / 8;

		/* Bound check */
		if (data + nr_bytes > d->typed_dump->data_end)
		return -E2BIG;

		/* Maximum supported bitfield size is 64 bits */
		if (t->size > 8) {
		pr_warn("unexpected bitfield size %d\n", t->size);