Commit 6881af27 authored by T.J. Mercier's avatar T.J. Mercier Committed by Alexei Starovoitov
Browse files

selftests/bpf: Fix OOB read in dmabuf_collector 



Dmabuf name allocations can be less than DMA_BUF_NAME_LEN characters,
but bpf_probe_read_kernel always tries to read exactly that many bytes.
If a name is less than DMA_BUF_NAME_LEN characters,
bpf_probe_read_kernel will read past the end. bpf_probe_read_kernel_str
stops at the first NUL terminator so use it instead, like
iter_dmabuf_for_each already does.

Fixes: ae5d2c59 ("selftests/bpf: Add test for dmabuf_iter")
Reported-by: default avatarJerome Lee <jaewookl@quicinc.com>
Signed-off-by: default avatarT.J. Mercier <tjmercier@google.com>
Link: https://lore.kernel.org/r/20260225003349.113746-1-tjmercier@google.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 60e3cbef

tools/testing/selftests/bpf/progs/dmabuf_iter.c

+1 −1
Original line number Diff line number Diff line
@@ -48,7 +48,7 @@ int dmabuf_collector(struct bpf_iter__dmabuf *ctx) 


	/* Buffers are not required to be named */

	if (pname) {

		if (bpf_probe_read_kernel(name, sizeof(name), pname))

		if (bpf_probe_read_kernel_str(name, sizeof(name), pname) < 0)

			return 1;



		/* Name strings can be provided by userspace */