| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2f620bc7-5761-48e4-8568-063136cbf8b8@kernel.org>
Date: Thu, 5 Dec 2024 10:40:27 +0000
From: Quentin Monnet <qmo@...nel.org>
To: Rong Tao <rtoax@...mail.com>, rongtao@...tc.cn, ast@...nel.org
Cc: Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau
<martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>,
Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>,
John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>,
Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>,
Jiri Olsa <jolsa@...nel.org>,
"open list:BPF [TOOLING] (bpftool)" <bpf@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf-next] bpftool: Fix gen object segfault
On 05/12/2024 09:08, Rong Tao wrote:
> From: Rong Tao <rongtao@...tc.cn>
>
> If the input file and output file are the same, the input file is cleared
> due to opening, resulting in a NULL pointer access by libbpf.
>
> $ sudo ./bpftool gen object prog.o prog.o
(No sudo required to generate object files)
> libbpf: failed to get ELF header for prog.o: invalid `Elf' handle
> Segmentation fault
>
> (gdb) bt
> #0 0x0000000000450285 in linker_append_elf_syms (linker=0x4feda0, obj=0x7fffffffe100) at linker.c:1296
> #1 bpf_linker__add_file (linker=0x4feda0, filename=<optimized out>, opts=<optimized out>) at linker.c:453
> #2 0x000000000040c235 in do_object ()
> #3 0x00000000004021d7 in main ()
> (gdb) frame 0
> #0 0x0000000000450285 in linker_append_elf_syms (linker=0x4feda0, obj=0x7fffffffe100) at linker.c:1296
> 1296 Elf64_Sym *sym = symtab->data->d_buf;
>
> Signed-off-by: Rong Tao <rongtao@...tc.cn>
> ---
> tools/bpf/bpftool/gen.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
> index 5a4d3240689e..4cd135726758 100644
> --- a/tools/bpf/bpftool/gen.c
> +++ b/tools/bpf/bpftool/gen.c
> @@ -1896,6 +1896,11 @@ static int do_object(int argc, char **argv)
> while (argc) {
> file = GET_ARG();
>
> + if (!strcmp(file, output_file)) {
> + p_err("Input/Output file couldn't be same.");
Nits: lowercase for "output", and "cannot" rather than "couldn't"; also
bpftool doesn't use periods at the end of error messages:
p_err("Input and output files cannot be the same");
> + goto out;
> + }
> +
> err = bpf_linker__add_file(linker, file, NULL);
> if (err) {
> p_err("failed to link '%s': %s (%d)", file, strerror(errno), errno);
Good catch, thank you for this!
I've got one concern though, while your patch addresses the segfault it
doesn't prevent the user from overwriting the input file. Could we
instead move the check above the call to bpf_linker__new(...), please?
Something like this:
int argc_cpy = argc;
char **argv_cpy = argv;
[...]
output_file = GET_ARG();
/* Ensure we don't overwrite any input file */
while (argc_cpy--) {
if (!strcmp(output_file, *argv_cpy++)) {
p_err("...");
goto out;
}
}
linker = ...
Thanks,
Quentin
pw-bot: cr
Powered by blists - more mailing lists