[bpf-next,v3,0/2] bpf: fix null pointer access for malformed BPF_CORE_TYPE_ID_LOCAL relos

Message ID	20240822080124.2995724-1-eddyz87@gmail.com (mailing list archive)
Headers	show Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AAC519470 for <bpf@vger.kernel.org>; Thu, 22 Aug 2024 08:01:40 +0000 (UTC) From: Eduard Zingerman <eddyz87@gmail.com> To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, kernel-team@fb.com, yonghong.song@linux.dev, cnitlrt@gmail.com, Eduard Zingerman <eddyz87@gmail.com> Subject: [PATCH bpf-next v3 0/2] bpf: fix null pointer access for malformed BPF_CORE_TYPE_ID_LOCAL relos Date: Thu, 22 Aug 2024 01:01:22 -0700 Message-ID: <20240822080124.2995724-1-eddyz87@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	bpf: fix null pointer access for malformed BPF_CORE_TYPE_ID_LOCAL relos \| expand [bpf-next,v3,0/2] bpf: fix null pointer access for malformed BPF_CORE_TYPE_ID_LOCAL relos [bpf-next,v3,1/2] bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos [bpf-next,v3,2/2] selftests/bpf: test for malformed BPF_CORE_TYPE_ID_LOCAL relocation

Message ID

20240822080124.2995724-1-eddyz87@gmail.com (mailing list archive)

Headers

From: Eduard Zingerman <eddyz87@gmail.com>
To: bpf@vger.kernel.org,
	ast@kernel.org
Cc: andrii@kernel.org,
	daniel@iogearbox.net,
	martin.lau@linux.dev,
	kernel-team@fb.com,
	yonghong.song@linux.dev,
	cnitlrt@gmail.com,
	Eduard Zingerman <eddyz87@gmail.com>
Subject: [PATCH bpf-next v3 0/2] bpf: fix null pointer access for malformed
 BPF_CORE_TYPE_ID_LOCAL relos
Date: Thu, 22 Aug 2024 01:01:22 -0700
Message-ID: <20240822080124.2995724-1-eddyz87@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

bpf: fix null pointer access for malformed BPF_CORE_TYPE_ID_LOCAL relos | expand

Message

Eduard Zingerman Aug. 22, 2024, 8:01 a.m. UTC

Liu RuiTong reported an in-kernel null pointer derefence when
processing BPF_CORE_TYPE_ID_LOCAL relocations referencing non-existing
BTF types. Fix this by adding proper id checks.

Changes v2->v3:
- selftest update suggested by Andrii:
  avoid memset(0) for log buffer and do memset(0) for bpf_attr.

Changes v1->v2:
- moved check from bpf_core_calc_relo_insn() to bpf_core_apply()
  now both in kernel and in libbpf relocation type id is guaranteed
  to exist when bpf_core_calc_relo_insn() is called;
- added a test case.

v1: https://lore.kernel.org/bpf/20240821164620.1056362-1-eddyz87@gmail.com/
v2: https://lore.kernel.org/bpf/20240822001837.2715909-1-eddyz87@gmail.com/

Eduard Zingerman (2):
  bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos
  selftests/bpf: test for malformed BPF_CORE_TYPE_ID_LOCAL relocation

 kernel/bpf/btf.c                              |   8 ++
 .../selftests/bpf/prog_tests/core_reloc_raw.c | 125 ++++++++++++++++++
 2 files changed, 133 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/core_reloc_raw.c

Comments

patchwork-bot+netdevbpf@kernel.org Aug. 22, 2024, 3:10 p.m. UTC | #1

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Thu, 22 Aug 2024 01:01:22 -0700 you wrote:
> Liu RuiTong reported an in-kernel null pointer derefence when
> processing BPF_CORE_TYPE_ID_LOCAL relocations referencing non-existing
> BTF types. Fix this by adding proper id checks.
> 
> Changes v2->v3:
> - selftest update suggested by Andrii:
>   avoid memset(0) for log buffer and do memset(0) for bpf_attr.
> 
> [...]

Here is the summary with links:
  - [bpf-next,v3,1/2] bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos
    https://git.kernel.org/bpf/bpf-next/c/3d2786d65aaa
  - [bpf-next,v3,2/2] selftests/bpf: test for malformed BPF_CORE_TYPE_ID_LOCAL relocation
    https://git.kernel.org/bpf/bpf-next/c/110bbd3a2ed7

You are awesome, thank you!