| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZDQzwP3K8WOImluJ@krava>
Date: Mon, 10 Apr 2023 17:05:20 +0100
From: Jiri Olsa <olsajiri@...il.com>
To: Rong Tao <rtoax@...mail.com>
Cc: ast@...nel.org, rongtao@...tc.cn,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>,
Song Liu <song@...nel.org>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...gle.com>,
Hao Luo <haoluo@...gle.com>, Mykola Lysenko <mykolal@...com>,
Shuah Khan <shuah@...nel.org>, Nick Terrell <terrelln@...com>,
"open list:BPF [GENERAL] (Safe Dynamic Programs and Tools)"
<bpf@...r.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf-next] selftests/bpf: trace_helpers.c: Fix segfault
On Sun, Apr 09, 2023 at 04:15:25PM +0800, Rong Tao wrote:
> From: Rong Tao <rongtao@...tc.cn>
>
> When the number of symbols is greater than MAX_SYMS (300000), the access
> array struct ksym syms[MAX_SYMS] goes out of bounds, which will result in
> a segfault.
>
> Resolve this issue by judging the maximum number and exiting the loop, and
> increasing the default size appropriately. (6.2.9 = 329839 below)
>
> $ cat /proc/kallsyms | wc -l
> 329839
>
> GDB debugging:
> $ cd linux/samples/bpf
> $ sudo gdb ./sampleip
> ...
> (gdb) r
> ...
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff7e2debf in malloc () from /lib64/libc.so.6
> Missing separate debuginfos, use: dnf debuginfo-install
> elfutils-libelf-0.189-1.fc37.x86_64 glibc-2.36-9.fc37.x86_64
> libzstd-1.5.4-1.fc37.x86_64 zlib-1.2.12-5.fc37.x86_64
> (gdb) bt
> #0 0x00007ffff7e2debf in malloc () from /lib64/libc.so.6
> #1 0x00007ffff7e33f8e in strdup () from /lib64/libc.so.6
> #2 0x0000000000403fb0 in load_kallsyms_refresh() from trace_helpers.c
> #3 0x00000000004038b2 in main ()
>
> Signed-off-by: Rong Tao <rongtao@...tc.cn>
I had to apply by hand, there was some fuzz:
patching file tools/testing/selftests/bpf/trace_helpers.c
Hunk #1 succeeded at 18 with fuzz 2 (offset 4 lines).
Hunk #2 succeeded at 48 (offset 4 lines).
but other than that looks good
Acked-by: Jiri Olsa <jolsa@...nel.org>
jirka
> ---
> tools/testing/selftests/bpf/trace_helpers.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/tools/testing/selftests/bpf/trace_helpers.c b/tools/testing/selftests/bpf/trace_helpers.c
> index 09a16a77bae4..a9d589c560d2 100644
> --- a/tools/testing/selftests/bpf/trace_helpers.c
> +++ b/tools/testing/selftests/bpf/trace_helpers.c
> @@ -14,7 +14,7 @@
>
> #define DEBUGFS "/sys/kernel/debug/tracing/"
>
> -#define MAX_SYMS 300000
> +#define MAX_SYMS 400000
> static struct ksym syms[MAX_SYMS];
> static int sym_cnt;
>
> @@ -44,7 +44,8 @@ int load_kallsyms_refresh(void)
> continue;
> syms[i].addr = (long) addr;
> syms[i].name = strdup(func);
> - i++;
> + if (++i >= MAX_SYMS)
> + break;
> }
> fclose(f);
> sym_cnt = i;
> --
> 2.39.2
>
Powered by blists - more mailing lists