lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20200423175857.20180-2-jhs@emojatatu.com>
Date:   Thu, 23 Apr 2020 13:58:56 -0400
From:   Jamal Hadi Salim <jhs@...atatu.com>
To:     stephen@...workplumber.org
Cc:     netdev@...r.kernel.org, dsahern@...il.com, aclaudi@...hat.com,
        daniel@...earbox.net, asmadeus@...ewreck.org,
        Jamal Hadi Salim <jhs@...atatu.com>
Subject: [PATCH iproute2 v3 1/2] bpf: Fix segfault when custom pinning is used

From: Jamal Hadi Salim <jhs@...atatu.com>

How to recreate:
1) Create a custome pinned map - example something along
   the lines of:

   struct bpf_elf_map SEC("maps") my_map = {
        .type = BPF_MAP_TYPE_HASH,
        .size_key = sizeof(struct my_key),
        .size_value = sizeof(struct my_value),
        .pinning = 6,
        .max_elem = 16,
   };

2) load the program with tc filter and tc will segfault.

The reason is we strcat past memory allocated using asprintf.
Solution - just use a static buffer of max possible size of 4k.

Fixes: c0325b06382 ("bpf: replace snprintf with asprintf when dealing with long buffers")

Signed-off-by: Jamal Hadi Salim <jhs@...atatu.com>
---
 lib/bpf.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/lib/bpf.c b/lib/bpf.c
index 10cf9bf4..73f3a590 100644
--- a/lib/bpf.c
+++ b/lib/bpf.c
@@ -1509,16 +1509,12 @@ out:
 static int bpf_make_custom_path(const struct bpf_elf_ctx *ctx,
 				const char *todo)
 {
-	char *tmp = NULL;
+	char tmp[PATH_MAX];
 	char *rem = NULL;
 	char *sub;
 	int ret;
 
-	ret = asprintf(&tmp, "%s/../", bpf_get_work_dir(ctx->type));
-	if (ret < 0) {
-		fprintf(stderr, "asprintf failed: %s\n", strerror(errno));
-		goto out;
-	}
+	snprintf(tmp, PATH_MAX, "%s/../", bpf_get_work_dir(ctx->type));
 
 	ret = asprintf(&rem, "%s/", todo);
 	if (ret < 0) {
@@ -1547,7 +1543,6 @@ static int bpf_make_custom_path(const struct bpf_elf_ctx *ctx,
 	ret = 0;
 out:
 	free(rem);
-	free(tmp);
 	return ret;
 }
 
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ