Patch "libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 12ee74ecb1c050c40180d3bd0e41ccb9a28c75e5
Author: Mingyi Zhang <zhangmingyi5@xxxxxxxxxx>
Date:   Thu Dec 21 11:39:47 2023 +0800

    libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
    
    [ Upstream commit fc3a5534e2a8855427403113cbeb54af5837bbe0 ]
    
    An issue occurred while reading an ELF file in libbpf.c during fuzzing:
    
            Program received signal SIGSEGV, Segmentation fault.
            0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
            4206 in libbpf.c
            (gdb) bt
            #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
            #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706
            #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437
            #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497
            #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16
            #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one ()
            #6 0x000000000087ad92 in tracing::span::Span::in_scope ()
            #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir ()
            #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} ()
            #9 0x00000000005f2601 in main ()
            (gdb)
    
    scn_data was null at this code(tools/lib/bpf/src/libbpf.c):
    
            if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {
    
    The scn_data is derived from the code above:
    
            scn = elf_sec_by_idx(obj, sec_idx);
            scn_data = elf_sec_data(obj, scn);
    
            relo_sec_name = elf_sec_str(obj, shdr->sh_name);
            sec_name = elf_sec_name(obj, scn);
            if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL
                    return -EINVAL;
    
    In certain special scenarios, such as reading a malformed ELF file,
    it is possible that scn_data may be a null pointer
    
    Signed-off-by: Mingyi Zhang <zhangmingyi5@xxxxxxxxxx>
    Signed-off-by: Xin Liu <liuxin350@xxxxxxxxxx>
    Signed-off-by: Changye Wu <wuchangye@xxxxxxxxxx>
    Signed-off-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
    Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
    Acked-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
    Link: https://lore.kernel.org/bpf/20231221033947.154564-1-liuxin350@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 96ff1aa4bf6a..de08b920a149 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -4251,6 +4251,8 @@ bpf_object__collect_prog_relos(struct bpf_object *obj, Elf64_Shdr *shdr, Elf_Dat
 
 	scn = elf_sec_by_idx(obj, sec_idx);
 	scn_data = elf_sec_data(obj, scn);
+	if (!scn_data)
+		return -LIBBPF_ERRNO__FORMAT;
 
 	relo_sec_name = elf_sec_str(obj, shdr->sh_name);
 	sec_name = elf_sec_name(obj, scn);




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux