[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231219141544.128812-1-liuxin350@huawei.com>
Date: Tue, 19 Dec 2023 22:15:44 +0800
From: Xin Liu <liuxin350@...wei.com>
To: <ast@...nel.org>, <daniel@...earbox.net>, <andrii@...nel.org>,
<martin.lau@...ux.dev>, <song@...nel.org>, <yhs@...com>,
<john.fastabend@...il.com>, <kpsingh@...nel.org>, <sdf@...gle.com>,
<haoluo@...gle.com>, <jolsa@...nel.org>
CC: <bpf@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <yanan@...wei.com>,
<wuchangye@...wei.com>, <xiesongyang@...wei.com>, <kongweibin2@...wei.com>,
<liuxin350@...wei.com>, <tianmuyang@...wei.com>, <zhangmingyi5@...wei.com>
Subject: An invalid memory access was discovered by a fuzz test
Hi all:
The issue occurred while reading an ELF file in libbpf.c during fuzzing
Using host libthread_db library "/usr/lib64/libthread_db.so.1".
0.000243187s DEBUG total counters = 7816
0.000346533s DEBUG binary maps to 400000-155f280, len = 18215552
0.000765462s DEBUG init_fuzzer:run_seed: running initial seed path="crash-sigsegv-b905489aaeb39555ff1245117f1efd1677195b9ac1437bfb18b8d2d04099704b"
Program received signal SIGSEGV, Segmentation fault.
0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
4206 in libbpf.c
(gdb) bt
#0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
#1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706
#2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437
#3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497
#4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16
#5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one ()
#6 0x000000000087ad92 in tracing::span::Span::in_scope ()
#7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir ()
#8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} ()
#9 0x00000000005f2601 in main ()
(gdb)
then, I checked the code and found that scn_data was null at this code(tools/lib/bpf/src/libbpf.c):
if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {
The scn_data is derived from the code above:
scn = elf_sec_by_idx(obj, sec_idx);
scn_data = elf_sec_data(obj, scn);
relo_sec_name = elf_sec_str(obj, shdr->sh_name);
sec_name = elf_sec_name(obj, scn);
if (!relo_sec_name || !sec_name) // don't check whether scn_data is NULL
return -EINVAL;
Do sec_data and sec_name always occur together? Is it possible that scn_data is NULL but sec_name
is not NULL? libbpf uses sec_name to determine if it’s a null pointer, Maybe we should do some
check here.
Powered by blists - more mailing lists