| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Nov 2018 09:18:06 -0800
From: Y Song <ys114321@...il.com>
To: wen.yang99@....com.cn
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Jakub Kicinski <jakub.kicinski@...ronome.com>,
Quentin Monnet <quentin.monnet@...ronome.com>,
Jiong Wang <jiong.wang@...ronome.com>, guro@...com,
Sandipan Das <sandipan@...ux.vnet.ibm.com>,
John Fastabend <john.fastabend@...il.com>,
netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>, zhong.weidong@....com.cn,
wang.yi59@....com.cn, julia.lawall@...6.fr
Subject: Re: [PATCH 3/4] tools: bpftool: fix potential NULL pointer
dereference in do_load
On Tue, Nov 20, 2018 at 11:42 PM Wen Yang <wen.yang99@....com.cn> wrote:
>
> This patch fixes a possible null pointer dereference in
> do_load, detected by the semantic patch
> deref_null.cocci, with the following warning:
>
> ./tools/bpf/bpftool/prog.c:1021:23-25: ERROR: map_replace is NULL but dereferenced.
>
> The following code has potential null pointer references:
> 881 map_replace = reallocarray(map_replace, old_map_fds + 1,
> 882 sizeof(*map_replace));
> 883 if (!map_replace) {
> 884 p_err("mem alloc failed");
> 885 goto err_free_reuse_maps;
> 886 }
>
> ...
> 1019 err_free_reuse_maps:
> 1020 for (i = 0; i < old_map_fds; i++)
> 1021 close(map_replace[i].fd);
> 1022 free(map_replace);
I did not see any issues here.
We have code looks like:
867 struct map_replace *map_replace = NULL;
868 struct bpf_program *prog = NULL, *pos;
869 unsigned int old_map_fds = 0;
...
948 map_replace = reallocarray(map_replace,
old_map_fds + 1,
949 sizeof(*map_replace));
950 if (!map_replace) {
951 p_err("mem alloc failed");
952 goto err_free_reuse_maps;
953 }
954 map_replace[old_map_fds].idx = idx;
955 map_replace[old_map_fds].name = name;
956 map_replace[old_map_fds].fd = fd;
957 old_map_fds++;
...
old_map_fds becomes non zero if and only if map_replace is not NULL.
> Signed-off-by: Wen Yang <wen.yang99@....com.cn>
> Reviewed-by: Tan Hu <tan.hu@....com.cn>
> CC: Julia Lawall <julia.lawall@...6.fr>
> ---
> tools/bpf/bpftool/prog.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
> index 5302ee2..de42187 100644
> --- a/tools/bpf/bpftool/prog.c
> +++ b/tools/bpf/bpftool/prog.c
> @@ -1017,8 +1017,9 @@ static int do_load(int argc, char **argv)
> err_close_obj:
> bpf_object__close(obj);
> err_free_reuse_maps:
> - for (i = 0; i < old_map_fds; i++)
> - close(map_replace[i].fd);
> + if (map_replace)
> + for (i = 0; i < old_map_fds; i++)
> + close(map_replace[i].fd);
> free(map_replace);
> return -1;
> }
> --
> 2.9.5
>
Powered by blists - more mailing lists