lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <tencent_BA5119C43D830721CD2CAE4B6D95DC57EC07@qq.com>
Date: Thu, 5 Dec 2024 19:14:29 +0800
From: Rong Tao <rtoax@...mail.com>
To: Quentin Monnet <qmo@...nel.org>, rongtao@...tc.cn, ast@...nel.org
Cc: Daniel Borkmann <daniel@...earbox.net>,
 Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau
 <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>,
 Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>,
 John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>,
 Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>,
 Jiri Olsa <jolsa@...nel.org>,
 "open list:BPF [TOOLING] (bpftool)" <bpf@...r.kernel.org>,
 open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf-next] bpftool: Fix gen object segfault


On 12/5/24 18:40, Quentin Monnet wrote:
> On 05/12/2024 09:08, Rong Tao wrote:
>> From: Rong Tao <rongtao@...tc.cn>
>>
>> If the input file and output file are the same, the input file is cleared
>> due to opening, resulting in a NULL pointer access by libbpf.
>>
>>      $ sudo ./bpftool gen object prog.o prog.o
>
> (No sudo required to generate object files)
>
>
>>      libbpf: failed to get ELF header for prog.o: invalid `Elf' handle
>>      Segmentation fault
>>
>>      (gdb) bt
>>      #0  0x0000000000450285 in linker_append_elf_syms (linker=0x4feda0, obj=0x7fffffffe100) at linker.c:1296
>>      #1  bpf_linker__add_file (linker=0x4feda0, filename=<optimized out>, opts=<optimized out>) at linker.c:453
>>      #2  0x000000000040c235 in do_object ()
>>      #3  0x00000000004021d7 in main ()
>>      (gdb) frame 0
>>      #0  0x0000000000450285 in linker_append_elf_syms (linker=0x4feda0, obj=0x7fffffffe100) at linker.c:1296
>>      1296		Elf64_Sym *sym = symtab->data->d_buf;
>>
>> Signed-off-by: Rong Tao <rongtao@...tc.cn>
>> ---
>>   tools/bpf/bpftool/gen.c | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
>> index 5a4d3240689e..4cd135726758 100644
>> --- a/tools/bpf/bpftool/gen.c
>> +++ b/tools/bpf/bpftool/gen.c
>> @@ -1896,6 +1896,11 @@ static int do_object(int argc, char **argv)
>>   	while (argc) {
>>   		file = GET_ARG();
>>   
>> +		if (!strcmp(file, output_file)) {
>> +			p_err("Input/Output file couldn't be same.");
>
> Nits: lowercase for "output", and "cannot" rather than "couldn't"; also
> bpftool doesn't use periods at the end of error messages:
>
>      p_err("Input and output files cannot be the same");
>
>
>> +			goto out;
>> +		}
>> +
>>   		err = bpf_linker__add_file(linker, file, NULL);
>>   		if (err) {
>>   			p_err("failed to link '%s': %s (%d)", file, strerror(errno), errno);
>
> Good catch, thank you for this!
>
> I've got one concern though, while your patch addresses the segfault it
> doesn't prevent the user from overwriting the input file. Could we
> instead move the check above the call to bpf_linker__new(...), please?
> Something like this:
>
> 	int argc_cpy = argc;
> 	char **argv_cpy = argv;
>
> 	[...]
> 	output_file = GET_ARG();
>
> 	/* Ensure we don't overwrite any input file */
> 	while (argc_cpy--) {
> 		if (!strcmp(output_file, *argv_cpy++)) {
> 			p_err("...");
> 			goto out;
> 		}
> 	}

Thanks a lot, I just submit v2, please review!!

Rong Tao

>
> 	linker = ...
>
> Thanks,
> Quentin
>
> pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ