lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <39c391d944fa3db4426d0c1f9b4a22ccd1660133231a02efbcb78e0b55ac84b2@mail.kernel.org>
Date: Fri, 14 Nov 2025 09:39:25 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: dolinux.peng@...il.com,ast@...nel.org
Cc: eddyz87@...il.com,andrii.nakryiko@...il.com,zhangxiaoqin@...omi.com,linux-kernel@...r.kernel.org,bpf@...r.kernel.org,pengdonglin@...omi.com,alan.maguire@...cle.com,song@...nel.org,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [RFC PATCH 2/2] selftests/bpf: Add test cases for btf__permute functionality

> diff --git a/tools/testing/selftests/bpf/prog_tests/btf_permute.c b/tools/testing/selftests/bpf/prog_tests/btf_permute.c
> new file mode 100644
> index 000000000..c1a47b846
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/btf_permute.c

[ ... ]

> @@ -0,0 +1,626 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2025 Xiaomi */
> +
> +#include <test_progs.h>
> +#include <bpf/btf.h>
> +#include "btf_helpers.h"

[ ... ]

> +/* Verify btf__permute then btf__dedup work correctly */
> +static void test_permute_drop_dedup(void)
> +{
> +	struct btf *btf, *new_btf;
                              ^^^^^^^^
Can this crash if the test fails before new_btf is initialized?  Looking
at the declaration above, new_btf is uninitialized, and if ASSERT_EQ()
fails at line 570 before new_btf is assigned, the code jumps to the done
label which calls btf__free(new_btf). While btf__free() checks for NULL,
it doesn't protect against uninitialized garbage values and may
dereference an invalid pointer.

> +	const struct btf_header *hdr;
> +	const void *btf_data;
> +	char expect_strs[] = "\0int\0s1\0m\0tag1\0tag2\0tag3";
> +	char expect_strs_dedupped[] = "\0int\0s1\0m\0tag1";
> +	__u32 permute_ids[6], btf_size;
> +	int err;
> +
> +	btf = btf__new_empty();
> +	if (!ASSERT_OK_PTR(btf, "empty_main_btf"))
> +		return;
> +
> +	btf__add_int(btf, "int", 4, BTF_INT_SIGNED);	/* [1] int */
> +	btf__add_struct(btf, "s1", 4);			/* [2] struct s1 { */
> +	btf__add_field(btf, "m", 1, 0, 0);		/*       int m; */
> +							/* } */
> +	btf__add_decl_tag(btf, "tag1", 2, -1);		/* [3] tag -> s1: tag1 */
> +	btf__add_decl_tag(btf, "tag2", 2, 1);		/* [4] tag -> s1/m: tag2 */
> +	btf__add_decl_tag(btf, "tag3", 2, 1);		/* [5] tag -> s1/m: tag3 */
> +
> +	VALIDATE_RAW_BTF(
> +		btf,
> +		"[1] INT 'int' size=4 bits_offset=0 nr_bits=32 encoding=SIGNED",
> +		"[2] STRUCT 's1' size=4 vlen=1\n"
> +		"\t'm' type_id=1 bits_offset=0",
> +		"[3] DECL_TAG 'tag1' type_id=2 component_idx=-1",
> +		"[4] DECL_TAG 'tag2' type_id=2 component_idx=1",
> +		"[5] DECL_TAG 'tag3' type_id=2 component_idx=1");
> +
> +	btf_data = btf__raw_data(btf, &btf_size);
> +	hdr = btf_data;
> +	if (!ASSERT_EQ(hdr->str_len, ARRAY_SIZE(expect_strs), "expect_strs"))
               ^^^^^^^^^^^^^^
Does this need a NULL check for btf_data?  The btf__raw_data() function
can return NULL on allocation failure (returns NULL at btf.c:1596), and
dereferencing hdr->str_len without checking would cause a segfault and
crash the test program.

> +		goto done;
> +
> +	new_btf = btf__new(btf_data, btf_size);
> +	if (!ASSERT_OK_PTR(new_btf, "btf__new"))
> +		goto done;
> +
> +	/* Drop 2 IDs result in unreferenced strings */
> +	permute_ids[0] = 0;
> +	permute_ids[1] = 3; /* [1] -> [3] */
> +	permute_ids[2] = 1; /* [2] -> [1] */
> +	permute_ids[3] = 2; /* [3] -> [2] */
> +	permute_ids[4] = 0; /* Drop result in unreferenced "tag2" */
> +	permute_ids[5] = 0; /* Drop result in unreferenced "tag3" */
> +	err = btf__permute(new_btf, permute_ids, ARRAY_SIZE(permute_ids), NULL);
> +	if (!ASSERT_OK(err, "btf__permute"))
> +		goto done;
> +
> +	VALIDATE_RAW_BTF(
> +		new_btf,
> +		"[1] STRUCT 's1' size=4 vlen=1\n"
> +		"\t'm' type_id=3 bits_offset=0",
> +		"[2] DECL_TAG 'tag1' type_id=1 component_idx=-1",
> +		"[3] INT 'int' size=4 bits_offset=0 nr_bits=32 encoding=SIGNED");
> +
> +	btf_data = btf__raw_data(new_btf, &btf_size);
> +	hdr = btf_data;
> +	if (!ASSERT_EQ(hdr->str_len, ARRAY_SIZE(expect_strs), "expect_strs"))
               ^^^^^^^^^^^^^^
Same NULL check issue here with btf__raw_data().

> +		goto done;
> +
> +	err = btf__dedup(new_btf, NULL);
> +	if (!ASSERT_OK(err, "btf__dedup"))
> +		goto done;
> +
> +	btf_data = btf__raw_data(new_btf, &btf_size);
> +	hdr = btf_data;
> +	if (!ASSERT_EQ(hdr->str_len, ARRAY_SIZE(expect_strs_dedupped), "expect_strs_dedupped"))
               ^^^^^^^^^^^^^^
And again here.

> +		goto done;
> +
> +done:
> +	btf__free(btf);
> +	btf__free(new_btf);
> +}


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19359945665

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ