| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAErzpmu9ZTfg_dWns-LCiwRy1PRvjYvtzf_15Om9=9TwBnnM9w@mail.gmail.com>
Date: Fri, 14 Nov 2025 17:44:13 +0800
From: Donglin Peng <dolinux.peng@...il.com>
To: bot+bpf-ci@...nel.org
Cc: ast@...nel.org, eddyz87@...il.com, andrii.nakryiko@...il.com,
zhangxiaoqin@...omi.com, linux-kernel@...r.kernel.org, bpf@...r.kernel.org,
pengdonglin@...omi.com, alan.maguire@...cle.com, song@...nel.org,
andrii@...nel.org, daniel@...earbox.net, martin.lau@...nel.org,
yonghong.song@...ux.dev, clm@...a.com, ihor.solodrai@...ux.dev
Subject: Re: [RFC PATCH 2/2] selftests/bpf: Add test cases for btf__permute functionality
On Fri, Nov 14, 2025 at 5:39 PM <bot+bpf-ci@...nel.org> wrote:
>
> > diff --git a/tools/testing/selftests/bpf/prog_tests/btf_permute.c b/tools/testing/selftests/bpf/prog_tests/btf_permute.c
> > new file mode 100644
> > index 000000000..c1a47b846
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/prog_tests/btf_permute.c
>
> [ ... ]
>
> > @@ -0,0 +1,626 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/* Copyright (c) 2025 Xiaomi */
> > +
> > +#include <test_progs.h>
> > +#include <bpf/btf.h>
> > +#include "btf_helpers.h"
>
> [ ... ]
>
> > +/* Verify btf__permute then btf__dedup work correctly */
> > +static void test_permute_drop_dedup(void)
> > +{
> > + struct btf *btf, *new_btf;
> ^^^^^^^^
> Can this crash if the test fails before new_btf is initialized? Looking
> at the declaration above, new_btf is uninitialized, and if ASSERT_EQ()
> fails at line 570 before new_btf is assigned, the code jumps to the done
> label which calls btf__free(new_btf). While btf__free() checks for NULL,
> it doesn't protect against uninitialized garbage values and may
> dereference an invalid pointer.
Thanks, I will fix it.
>
> > + const struct btf_header *hdr;
> > + const void *btf_data;
> > + char expect_strs[] = "\0int\0s1\0m\0tag1\0tag2\0tag3";
> > + char expect_strs_dedupped[] = "\0int\0s1\0m\0tag1";
> > + __u32 permute_ids[6], btf_size;
> > + int err;
> > +
> > + btf = btf__new_empty();
> > + if (!ASSERT_OK_PTR(btf, "empty_main_btf"))
> > + return;
> > +
> > + btf__add_int(btf, "int", 4, BTF_INT_SIGNED); /* [1] int */
> > + btf__add_struct(btf, "s1", 4); /* [2] struct s1 { */
> > + btf__add_field(btf, "m", 1, 0, 0); /* int m; */
> > + /* } */
> > + btf__add_decl_tag(btf, "tag1", 2, -1); /* [3] tag -> s1: tag1 */
> > + btf__add_decl_tag(btf, "tag2", 2, 1); /* [4] tag -> s1/m: tag2 */
> > + btf__add_decl_tag(btf, "tag3", 2, 1); /* [5] tag -> s1/m: tag3 */
> > +
> > + VALIDATE_RAW_BTF(
> > + btf,
> > + "[1] INT 'int' size=4 bits_offset=0 nr_bits=32 encoding=SIGNED",
> > + "[2] STRUCT 's1' size=4 vlen=1\n"
> > + "\t'm' type_id=1 bits_offset=0",
> > + "[3] DECL_TAG 'tag1' type_id=2 component_idx=-1",
> > + "[4] DECL_TAG 'tag2' type_id=2 component_idx=1",
> > + "[5] DECL_TAG 'tag3' type_id=2 component_idx=1");
> > +
> > + btf_data = btf__raw_data(btf, &btf_size);
> > + hdr = btf_data;
> > + if (!ASSERT_EQ(hdr->str_len, ARRAY_SIZE(expect_strs), "expect_strs"))
> ^^^^^^^^^^^^^^
> Does this need a NULL check for btf_data? The btf__raw_data() function
> can return NULL on allocation failure (returns NULL at btf.c:1596), and
> dereferencing hdr->str_len without checking would cause a segfault and
> crash the test program.
Thanks, I will fix it.
>
> > + goto done;
> > +
> > + new_btf = btf__new(btf_data, btf_size);
> > + if (!ASSERT_OK_PTR(new_btf, "btf__new"))
> > + goto done;
> > +
> > + /* Drop 2 IDs result in unreferenced strings */
> > + permute_ids[0] = 0;
> > + permute_ids[1] = 3; /* [1] -> [3] */
> > + permute_ids[2] = 1; /* [2] -> [1] */
> > + permute_ids[3] = 2; /* [3] -> [2] */
> > + permute_ids[4] = 0; /* Drop result in unreferenced "tag2" */
> > + permute_ids[5] = 0; /* Drop result in unreferenced "tag3" */
> > + err = btf__permute(new_btf, permute_ids, ARRAY_SIZE(permute_ids), NULL);
> > + if (!ASSERT_OK(err, "btf__permute"))
> > + goto done;
> > +
> > + VALIDATE_RAW_BTF(
> > + new_btf,
> > + "[1] STRUCT 's1' size=4 vlen=1\n"
> > + "\t'm' type_id=3 bits_offset=0",
> > + "[2] DECL_TAG 'tag1' type_id=1 component_idx=-1",
> > + "[3] INT 'int' size=4 bits_offset=0 nr_bits=32 encoding=SIGNED");
> > +
> > + btf_data = btf__raw_data(new_btf, &btf_size);
> > + hdr = btf_data;
> > + if (!ASSERT_EQ(hdr->str_len, ARRAY_SIZE(expect_strs), "expect_strs"))
> ^^^^^^^^^^^^^^
> Same NULL check issue here with btf__raw_data().
Thanks, I will fix it.
>
> > + goto done;
> > +
> > + err = btf__dedup(new_btf, NULL);
> > + if (!ASSERT_OK(err, "btf__dedup"))
> > + goto done;
> > +
> > + btf_data = btf__raw_data(new_btf, &btf_size);
> > + hdr = btf_data;
> > + if (!ASSERT_EQ(hdr->str_len, ARRAY_SIZE(expect_strs_dedupped), "expect_strs_dedupped"))
> ^^^^^^^^^^^^^^
> And again here.
Thanks, I will fix it.
>
> > + goto done;
> > +
> > +done:
> > + btf__free(btf);
> > + btf__free(new_btf);
> > +}
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19359945665
Powered by blists - more mailing lists