korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-28 21:45:01 +08:00
Code Issues Packages Projects Releases Wiki Activity
fe3b739a54
linux/tools/lib/bpf
History
Mingyi Zhang fc3a5534e2 libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos 
An issue occurred while reading an ELF file in libbpf.c during fuzzing:

	Program received signal SIGSEGV, Segmentation fault.
	0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
	4206 in libbpf.c
	(gdb) bt
	#0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
	#1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706
	#2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437
	#3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497
	#4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16
	#5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one ()
	#6 0x000000000087ad92 in tracing::span::Span::in_scope ()
	#7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir ()
	#8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} ()
	#9 0x00000000005f2601 in main ()
	(gdb)

scn_data was null at this code(tools/lib/bpf/src/libbpf.c):

	if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {

The scn_data is derived from the code above:

	scn = elf_sec_by_idx(obj, sec_idx);
	scn_data = elf_sec_data(obj, scn);

	relo_sec_name = elf_sec_str(obj, shdr->sh_name);
	sec_name = elf_sec_name(obj, scn);
	if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL
		return -EINVAL;

In certain special scenarios, such as reading a malformed ELF file,
it is possible that scn_data may be a null pointer

Signed-off-by: Mingyi Zhang <zhangmingyi5@huawei.com>
Signed-off-by: Xin Liu <liuxin350@huawei.com>
Signed-off-by: Changye Wu <wuchangye@huawei.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20231221033947.154564-1-liuxin350@huawei.com
2023-12-21 10:05:42 +01:00
..
.gitignore libbpf: Make libbpf_version.h non-auto-generated 2021-09-13 15:36:47 -07:00
bpf_core_read.h libbpf: Add BPF_CORE_WRITE_BITFIELD() macro 2023-12-13 15:42:19 -08:00
bpf_endian.h libbpf: Make bpf_endian co-exist with vmlinux.h 2020-07-01 09:06:12 +02:00
bpf_gen_internal.h libbpf: Support kfunc detection in light skeleton. 2023-03-22 09:31:05 -07:00
bpf_helpers.h libbpf: add __arg_xxx macros for annotating global func args 2023-12-19 18:06:47 -08:00
bpf_prog_linfo.c libbpf: Streamline error reporting for high-level APIs 2021-05-25 17:32:35 -07:00
bpf_tracing.h libbpf: Fix syscall access arguments on riscv 2023-10-04 13:19:13 -07:00
bpf.c Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
bpf.h Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
btf_dump.c libbpf: btf_dump_type_data_check_overflow needs to consider BTF_MEMBER_BITFIELD_SIZE 2023-05-01 15:37:38 +02:00
btf.c Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
btf.h libbpf: Don't require full struct enum64 in UAPI headers 2022-09-27 20:45:17 +02:00
Build Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
elf.c Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
gen_loader.c libbpf: Store zero fd to fd_array for loader kfunc relocation 2023-05-16 22:09:23 -07:00
hashmap.c libbpf: Hashmap interface update to allow both long and void* keys/values 2022-11-09 20:45:14 -08:00
hashmap.h libbpf: Remove HASHMAP_INIT static initialization helper 2023-07-11 09:40:05 -07:00
libbpf_common.h libbpf: Fix potential uninitialized tail padding with LIBBPF_OPTS_RESET 2023-11-09 19:07:51 -08:00
libbpf_errno.c libbpf: Optimized return value in libbpf_strerror when errno is libbpf errno 2022-12-14 18:39:33 +01:00
libbpf_internal.h Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
libbpf_legacy.h libbpf: Clean up deprecated and legacy aliases 2022-08-17 22:42:56 +02:00
libbpf_probes.c Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
libbpf_version.h libbpf: Start v1.4 development cycle 2023-11-23 22:49:41 +01:00
libbpf.c libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos 2023-12-21 10:05:42 +01:00
libbpf.h Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
libbpf.map Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
libbpf.pc.template libbpf: Add zlib as a dependency in pkg-config template 2019-12-16 14:55:29 -08:00
linker.c libbpf: Skip DWARF sections in linker sanity check 2023-12-21 10:05:15 +01:00
Makefile libbpf: fix typos in Makefile 2023-08-02 13:58:51 -07:00
netlink.c xsk: add new netlink attribute dedicated for ZC max frags 2023-07-19 09:56:49 -07:00
nlattr.c libbpf: Fix alen calculation in libbpf_nla_dump_errormsg() 2023-02-10 15:27:22 -08:00
nlattr.h libbpf: add API to get XDP/XSK supported features 2023-02-02 20:48:24 -08:00
relo_core.c libbpf: fix signedness determination in CO-RE relo handling logic 2023-08-23 21:13:48 -07:00
relo_core.h bpf, libbpf: Add type match support 2022-07-05 21:14:25 -07:00
ringbuf.c libbpf: Add ring__consume 2023-09-25 16:22:43 -07:00
skel_internal.h libbpf: add map_get_fd_by_id and map_delete_elem in light skeleton 2022-08-25 18:52:29 -07:00
str_error.c libbpf: Poison kernel-only integer types 2020-01-10 10:38:00 -08:00
str_error.h Revert BPF token-related functionality 2023-12-19 08:23:03 -08:00
strset.c libbpf: Hashmap interface update to allow both long and void* keys/values 2022-11-09 20:45:14 -08:00
strset.h libbpf: Extract internal set-of-strings datastructure APIs 2021-03-18 16:14:22 -07:00
usdt.bpf.h libbpf: Use local includes inside the library 2023-08-04 15:06:46 -07:00
usdt.c libbpf: Add uprobe multi link support to bpf_program__attach_usdt 2023-08-21 15:51:26 -07:00
zip.c libbpf: Ignore warnings about "inefficient alignment" 2023-03-16 18:20:08 +01:00
zip.h libbpf: Implement basic zip archive parsing support 2023-03-01 16:05:34 -08:00