vbpf / prevail

90%

LAST BUILD ON BRANCH main

branch: SELECT

CHANGE BRANCH

x

Sync Branches

• No branch selected
• CMP0167-NEW
• add-ifndefs
• analysis-engine
• arith
• better-error-handling
• better-print
• boost-headers-setup
• btf_cycles
• bump-catch2-to-3.9.1
• bump-ebpf-samples
• c++23
• cache-ci
• call-builtins
• catch2-3.10.0
• catch2-3.11.0
• catch2-3.12.0
• catch2-3.8.2
• catch2-3.9.0
• cfg-dir
• claude/fix-close-after-widen-bug-Un4eW
• cli11-v2.5.0
• cli11-v2.6.1
• co-re
• coderabbitai/docstrings/aacd752
• codex/add-catch2-test-suite-for-ebpfdomain
• codex/add-catch2-test-suite-for-ebpftransformer
• codex/create-agents.md-file
• codex/optimize-test-execution-speed
• compute-slice-from-label
• coverage-repository
• dependabot/github_actions/actions/cache-5
• dependabot/github_actions/actions/checkout-5
• dependabot/github_actions/actions/checkout-6
• dependabot/github_actions/github/codeql-action-4
• dependabot/github_actions/softprops/action-gh-release-3
• dependabot/submodules/ebpf-samples-058b5c0
• dependabot/submodules/ebpf-samples-65b12c6
• dependabot/submodules/ebpf-samples-6a81f8e
• dependabot/submodules/external/bpf_conformance-057d705
• dependabot/submodules/external/bpf_conformance-13029d4
• dependabot/submodules/external/bpf_conformance-151bcd7
• dependabot/submodules/external/bpf_conformance-15e0553
• dependabot/submodules/external/bpf_conformance-3203c1f
• dependabot/submodules/external/bpf_conformance-35b1eb1
• dependabot/submodules/external/bpf_conformance-394a188
• dependabot/submodules/external/bpf_conformance-4334864
• dependabot/submodules/external/bpf_conformance-498ee85
• dependabot/submodules/external/bpf_conformance-5d1c9f5
• dependabot/submodules/external/bpf_conformance-5df55bc
• dependabot/submodules/external/bpf_conformance-5fbe1c3
• dependabot/submodules/external/bpf_conformance-6e648f2
• dependabot/submodules/external/bpf_conformance-6fa6a20
• dependabot/submodules/external/bpf_conformance-8670f73
• dependabot/submodules/external/bpf_conformance-8b5330d
• dependabot/submodules/external/bpf_conformance-8e6ed4a
• dependabot/submodules/external/bpf_conformance-8f3c2fe
• dependabot/submodules/external/bpf_conformance-93549c2
• dependabot/submodules/external/bpf_conformance-d280fcd
• dependabot/submodules/external/bpf_conformance-e208f52
• dependabot/submodules/external/bpf_conformance-e2318cb
• dependabot/submodules/external/bpf_conformance-f16282e
• dependabot/submodules/external/bpf_conformance-f558566
• dependabot/submodules/external/libbtf-04281ee
• dependabot/submodules/external/libbtf-0570bf0
• dependabot/submodules/external/libbtf-11e41e2
• dependabot/submodules/external/libbtf-1362c17
• dependabot/submodules/external/libbtf-3115538
• dependabot/submodules/external/libbtf-35e6a53
• dependabot/submodules/external/libbtf-55c22b7
• dependabot/submodules/external/libbtf-5efd6a0
• dependabot/submodules/external/libbtf-643757e
• dependabot/submodules/external/libbtf-6a09e51
• dependabot/submodules/external/libbtf-846bf15
• dependabot/submodules/external/libbtf-8588c66
• dependabot/submodules/external/libbtf-9224231
• dependabot/submodules/external/libbtf-ba5ab5e
• dependabot/submodules/external/libbtf-cdf441a
• dependabot/submodules/external/libbtf-e1e4e01
• dependabot/submodules/external/libbtf-e3a95e2
• dependabot/submodules/external/libbtf-f3864e6
• dependabot/submodules/external/libbtf-f96afc3
• detach-type-domain
• docs
• dynamic-packet
• dynamic-stack
• elazarg-patch-1
• expected
• explicit-context
• failure-slice
• fast-slow-tests
• fast-yaml
• feature/abi-classes
• feature/call-model
• feature/callbacks
• feature/conformance-direct-parse
• feature/human-friendly-cli
• feature/kfunc
• feature/map-by-index-pseudos
• feature/platform-tables
• feature/pointer-types
• feature/runtime-config
• feature/safety-parity
• fix-c26817-range-for-copy
• fix-ci-apt-update
• fix-cmake-git-hooks
• fix-ebpf-domain-to-set-bottom
• fix-issue-626-validmapkeyvalue-print
• fix-stacksize
• fix-ub-radix-substr
• fix-unaligned-func-symbol-overflow
• fix/1071-widen-bottom-short-circuit
• fix/assume-type-mismatch
• fix/btf-map-fallback
• fix/cfg-builder-seen-labels
• fix/docs-sync-with-code
• fix/finite-domain-32bit
• fix/issue-1099-validmapkeyvalue-packet-size
• fix/pentest-soundness-bugs
• fix/phase6-helper-abi
• fix/stack-numeric-imprecise-store
• fix/tracing-context-descriptor
• fix/widening-termination
• fix_cmake_issue
• fix_fuzzer_debug
• fix_prevail_cmake
• folder-structure
• get_helper_prototype_use_fix
• global-var
• gsl-narrow-heap
• hard-assert
• int128
• issue-728-observation-check
• lazy-allocator-constant-limits
• lazy-allocator-constant-limits-dco
• lib
• llm-context-doc
• load-elf-fix
• long-test-names
• loop-mask-constraints
• main
• maintain_enum_order
• map-count-fix
• may_have_type
• milestones
• minmax
• modernize-graph-iterators
• more-proto
• mov-imm-fix
• msvc-debug-assert-handler
• namespace
• no-patricia
• opt
• passes
• prevail-mcp
• prevail-namespace
• prog-env
• project-name
• proposal/diagnostic-reporting
• refactor/call-resolver-kfunc
• remove-thread-local-options
• remove-thresholds
• rename-classes
• rename-library
• resolve_by_name
• review-fixes
• split-call
• test-join
• test/rfc9669-llm-conformance
• tidy
• type-domain-rcu
• unreachable
• update_assertion_creation
• update_cfg_computation
• update_read_elf
• user/anusa/add_inner_map_template
• user/anusa/array_opt
• user/khorton/StringInvariant_to_use_moves
• v0.2.0
• verification-context
• verify-all-conformance
• yaml-dynamic

Build # 25071483533

Build Type

push

github

Committed by web-flow

Commit Message

Fix heap-buffer-overflow from non-instruction-aligned FUNC symbols (#1106)

* Fix heap-buffer-overflow from non-instruction-aligned FUNC symbols

Reject ELF FUNC symbols in executable sections whose st_value is not a
multiple of sizeof(EbpfInst) (8 bytes). A malformed ELF with such a
symbol causes get_program_name_and_size() to produce non-aligned program
boundaries. When read_programs() advances offset by a non-aligned
symbol_size, compute_reachable_program_span() uses truncating integer
division (offset / sizeof(EbpfInst)), inflating the computed span and
causing vector_of<EbpfInst> to memcpy past the section data buffer.

The root-cause fix validates FUNC symbol alignment in
get_program_name_and_size(), which is shared by both read_programs() and
ElfObjectState::discover_programs(). A defense-in-depth bounds check
before the vector_of call in read_programs() guards against future
regressions in span computation.

Add a test that constructs a minimal ELF with a FUNC symbol at an
unaligned offset and verifies it is cleanly rejected.

* Add acceptance test for instruction-aligned FUNC symbols

Companion to the rejection test — verifies that FUNC symbols at
8-byte-aligned offsets are accepted without error, ensuring the
alignment validation does not reject well-formed ELF files.

---------

Signed-off-by: Michael Agun <danielagun@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Coverage Stats

75 of 76 new or added lines in 2 files covered. (98.68%)

13863 of 15472 relevant lines covered (89.6%)

4364924.2 hits per line