Use cxplat safe integer helpers#5200
Open
Alan-Jowett wants to merge 27 commits into
Open
Conversation
Contributor
4 similar comments
Contributor
Contributor
Contributor
Contributor
Alan-Jowett
force-pushed
the
feature/safe-integer-cxplat-migration
branch
from
6d1bd4c to
d4da37f
Compare
Contributor
2 similar comments
Contributor
Contributor
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates several overflow-sensitive size/offset calculations across user-mode, kernel-mode, service, and extension components to cxplat/ebpf_safe_* checked-integer helpers, reducing the risk of integer overflow leading to undersized allocations or buffer math errors.
Changes:
- Replace unchecked
+/*sizing math withebpf_safe_size_t_*/cxplat_safe_*helpers across API buffers, map/program structures, ring-buffer sizing, and serialization paths. - Tighten protocol/offset computations (including
uint16_tprotocol length constraints) and improve overflow handling/reporting in multiple IOCTL request/reply builders. - Update user-mode
RtlULongAddmock to correctly reportSTATUS_INTEGER_OVERFLOWon overflow.
Reviewed changes
Copilot reviewed 34 out of 34 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| netebpfext/net_ebpf_ext.h | Updates SAL annotation to express returned filter-id buffer size in bytes. |
| netebpfext/net_ebpf_ext.c | Uses checked sizing for allocations and replaces index-based writes with pointer-advance for filter-id recording. |
| libs/ubpf/user/ubpf_user.c | Routes calloc through checked multiplication before allocation. |
| libs/ubpf/kernel/ubpf_kernel.c | Routes calloc through checked multiplication before allocation (kernel build). |
| libs/store_helper/user/ebpf_registry_helper.cpp | Adds checked sizing for UTF-8→wide conversions, registry string length math, and GUID substring copy. |
| libs/shared/shared_common.c | Uses checked multiplication for helper prototype array allocation sizing. |
| libs/shared/ebpf_shared_framework.h | Adds ebpf_safe_* wrappers for multiple integer widths. |
| libs/shared/ebpf_serialize.c | Uses checked addition for pin-path allocation sizing and formatting cleanups. |
| libs/service/api_service.cpp | Uses checked sizing for helper/map resolve request/reply protocol buffers. |
| libs/runtime/user/kernel_um.cpp | Updates RtlULongAdd mock to detect/report overflow. |
| libs/runtime/user/ebpf_platform_user.cpp | Uses checked arithmetic for ring-buffer section/view sizing and related Win32 APIs. |
| libs/runtime/kernel/ebpf_platform_kernel.c | Uses checked arithmetic for ring-buffer MDL sizing and UTF-8 path conversion sizing. |
| libs/runtime/ebpf_trampoline.c | Uses checked multiplication for trampoline table memory mapping size. |
| libs/runtime/ebpf_platform.h | Adds new ebpf_interlocked_increment_uint32 API declaration. |
| libs/runtime/ebpf_platform.c | Uses checked sizing for UTF-8→unicode allocation and formatting cleanup. |
| libs/runtime/ebpf_pinning_table.c | Uses checked multiplication for pinning entry array allocation sizing. |
| libs/runtime/ebpf_object.c | Switches object ID assignment to ebpf_interlocked_increment_uint32. |
| libs/runtime/ebpf_interlocked.c | Implements ebpf_interlocked_increment_uint32. |
| libs/runtime/ebpf_hash_table.c | Uses checked arithmetic for bucket entry offset/size computations and bucket resize math. |
| libs/runtime/ebpf_epoch.c | Uses checked sizing for epoch allocation headers and fixes message-type bounds check. |
| libs/runtime/ebpf_bitmap.c | Uses checked arithmetic (asserted) for bitmap sizing and initialization memset length. |
| libs/execution_context/ebpf_program.c | Uses checked sizing for map association buffers, helper-id/address arrays, instruction byte sizing, and related allocations. |
| libs/execution_context/ebpf_native.c | Uses checked sizing for native module arrays (maps/programs/helpers/handles/addresses/global variable sections). |
| libs/execution_context/ebpf_maps.c | Uses checked offset math for array map entry access and several map structure size computations; hardens batch-copy math. |
| libs/execution_context/ebpf_core_jit.c | Uses checked subtraction/addition/multiplication for request parsing and resolve helper/map reply sizing. |
| libs/execution_context/ebpf_core.c | Uses checked protocol name-length math, batch key/value sizing, reply-length computations, and hardens printk format parsing bounds. |
| libs/api_common/windows_platform_common.cpp | Uses checked multiplication/copy bounds when expanding helper prototype arrays. |
| libs/api_common/store_helper_internal.cpp | Uses checked sizing for registry helper-name buffers, helper prototype arrays, and vector-to-array copies. |
| libs/api_common/api_common.cpp | Uses checked instruction byte sizing and request/reply buffer sizing for object info queries. |
| libs/api/windows_platform.cpp | Uses checked arithmetic for map-section record indexing/offset computations. |
| libs/api/ebpf_api.cpp | Adds local safe-math helpers and uses checked sizing throughout multiple request/reply buffer builders and batch path computations. |
| libs/api/Verifier.cpp | Uses checked sizing when materializing verifier error strings. |
| ebpfcore/ebpf_drv.c | Uses checked sizing for ACL construction and enforces protocol buffer length limits at device-control entry. |
Contributor
1 similar comment
Contributor
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 36 out of 36 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (1)
libs/api_common/api_common.cpp:33
- allocate_string() casts string_length (size_t) into a uint32_t when writing *length. If string_length exceeds UINT32_MAX, this silently truncates and can break callers that rely on the reported length. Add a bounds check (string_length <= UINT32_MAX) and fail (return nullptr) or otherwise handle the oversized case before assigning to *length.
if (new_string != nullptr) {
strcpy_s(new_string, string_length, string.c_str());
if (length != nullptr) {
*length = (uint32_t)string_length;
}
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Alan-Jowett
force-pushed
the
feature/safe-integer-cxplat-migration
branch
from
8373393 to
f78bfa2
Compare
mikeagun
reviewed
Apr 30, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
mikeagun
previously approved these changes
Apr 30, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
mikeagun
approved these changes
May 1, 2026
mikeagun
previously approved these changes
May 4, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…idate Use ebpf_assert_assume instead of ebpf_assert for the backup_bucket NULL check so that __analysis_assume tells the static analyzer the pointer is non-NULL after this point. In Release builds ebpf_assert expands to (void)(x) which does not suppress the C6011/C6387 warnings. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…r-cxplat-migration # Conflicts: # libs/api_common/store_helper_internal.cpp # libs/shared/ebpf_serialize.c # netebpfext/net_ebpf_ext.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Validation
Tracking
Fixes: #5202