[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEf4BzbbvBEwy6_S1MRjiGWWfS_nxy6qNsEc0_Jdro1c10b8Vw@mail.gmail.com>
Date: Mon, 11 Mar 2024 11:01:52 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Eduard Zingerman <eddyz87@...il.com>
Cc: Edward Adam Davis <eadavis@...com>, syzbot+cc32304f6487ebff9b70@...kaller.appspotmail.com,
andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net,
haoluo@...gle.com, john.fastabend@...il.com, jolsa@...nel.org,
kpsingh@...nel.org, linux-kernel@...r.kernel.org, martin.lau@...ux.dev,
netdev@...r.kernel.org, sdf@...gle.com, song@...nel.org,
syzkaller-bugs@...glegroups.com, yonghong.song@...ux.dev
Subject: Re: [PATCH bpf-next] bpf: fix oob in btf_name_valid_section
On Mon, Mar 11, 2024 at 7:48 AM Eduard Zingerman <eddyz87@...il.com> wrote:
>
> On Mon, 2024-03-11 at 21:16 +0800, Edward Adam Davis wrote:
> > Check the first char of the BTF DATASEC names.
> >
> > Fixes: bd70a8fb7ca4 ("bpf: Allow all printable characters in BTF DATASEC names")
> > Reported-and-tested-by: syzbot+cc32304f6487ebff9b70@...kaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <eadavis@...com>
> > ---
> > kernel/bpf/btf.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> > index 170d017e8e4a..dda0aa0d7175 100644
> > --- a/kernel/bpf/btf.c
> > +++ b/kernel/bpf/btf.c
> > @@ -816,6 +816,8 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
> > const char *src = btf_str_by_offset(btf, offset);
> > const char *src_limit;
> >
> > + if (!isprint(*src))
> > + return false;
> > /* set a limit on identifier length */
> > src_limit = src + KSYM_NAME_LEN;
> > src++;
>
> Hi Edward,
>
> Thank you for fixing this.
> I wonder, maybe something like below would be simpler?
>
> Thanks,
> Eduard
>
> ---
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 170d017e8e4a..3d95d5398c8a 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -818,7 +818,6 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
>
> /* set a limit on identifier length */
> src_limit = src + KSYM_NAME_LEN;
> - src++;
ah, __btf_name_valid() has a separate __btf_name_char_ok(*src, true)
check and then skips first character :(
What Eduard proposes makes sense, we shouldn't advance src before the loop.
Eduard, I'd also say we should make __btf_name_valid() a bit more
uniform by dropping that first if and then doing
if (!__btf_name_char_ok(*src, src == src_orig))
return false;
where we just remember original string pointer in src_orig.
WDYT?
> while (*src && src < src_limit) {
> if (!isprint(*src))
> return false;
>
Powered by blists - more mailing lists