Re: An invalid memory access was discovered by a fuzz test

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/19/23 3:15 PM, Xin Liu wrote:

Hi all:

The issue occurred while reading an ELF file in libbpf.c during fuzzing

     Using host libthread_db library "/usr/lib64/libthread_db.so.1".
     0.000243187s DEBUG total counters = 7816
     0.000346533s DEBUG binary maps to 400000-155f280, len = 18215552
     0.000765462s DEBUG init_fuzzer:run_seed: running initial seed path="crash-sigsegv-b905489aaeb39555ff1245117f1efd1677195b9ac1437bfb18b8d2d04099704b"

     Program received signal SIGSEGV, Segmentation fault.
     0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
     4206 in libbpf.c
     (gdb) bt
     #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
     #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706
     #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437
     #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497
     #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16
     #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one ()
     #6 0x000000000087ad92 in tracing::span::Span::in_scope ()
     #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir ()
     #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} ()
     #9 0x00000000005f2601 in main ()
     (gdb)

then, I checked the code and found that scn_data was null at this code(tools/lib/bpf/src/libbpf.c):

     if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {
The scn_data is derived from the code above: scn = elf_sec_by_idx(obj, sec_idx); 
     scn_data = elf_sec_data(obj, scn);
relo_sec_name = elf_sec_str(obj, shdr->sh_name); 
     sec_name = elf_sec_name(obj, scn);
     if (!relo_sec_name || !sec_name)    // don't check whether scn_data is NULL
     	return -EINVAL;

Do sec_data and sec_name always occur together? Is it possible that scn_data is NULL but sec_name
is not NULL? libbpf uses sec_name to determine if it’s a null pointer, Maybe we should do some
check here.


Weird, is this based on a malformed elf given sec_idx comes from shdr->sh_info?
It probably makes sense to NULL check and then return with -LIBBPF_ERRNO__FORMAT
as we do elsewhere. Do you want to send a fix?

Thanks,
Daniel
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux