| Message ID | 20220108134739.32541-1-laoar.shao@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | BPF |
| Headers | show |
| Series | libbpf: fix possible NULL pointer dereference when destroy skelton | expand |
| Context | Check | Description |
|---|---|---|
| bpf/vmtest-bpf-next | success | VM_Test |
| bpf/vmtest-bpf-next-PR | success | PR summary |
| netdev/tree_selection | success | Not a local patch |
On Sat, Jan 8, 2022 at 5:47 AM Yafang Shao <laoar.shao@gmail.com> wrote: > > When I checked the code in skelton header file generated with my own bpf > prog, I found there may be possible NULL pointer derefence when destroy > skelton. Then I checked the in-tree bpf progs, finding that is a common > issue. Let's take the generated samples/bpf/xdp_redirect_cpu.skel.h for > example. Below is the generated code in > xdp_redirect_cpu__create_skeleton(), > xdp_redirect_cpu__create_skeleton > struct bpf_object_skeleton *s; > s = (struct bpf_object_skeleton *)calloc(1, sizeof(*s)); > if (!s) > goto error; > ... > error: > bpf_object__destroy_skeleton(s); > return -ENOMEM; > > After goto error, the NULL 's' will be deferenced in > bpf_object__destroy_skeleton(). > > We can simply fix this issue by just adding a NULL check in > bpf_object__destroy_skeleton(). > > Fixes: d66562fba ("libbpf: Add BPF object skeleton support") We ask to use 12-character short SHA, I've fixed it up, but for future submissions keep this in mind. Fixed a few typos and applied to bpf-next, thanks. > Signed-off-by: Yafang Shao <laoar.shao@gmail.com> > Cc: Andrii Nakryiko <andrii@kernel.org> > --- > tools/lib/bpf/libbpf.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c > index 7c74342bb668..a07fbd59e4b8 100644 > --- a/tools/lib/bpf/libbpf.c > +++ b/tools/lib/bpf/libbpf.c > @@ -11464,6 +11464,9 @@ void bpf_object__detach_skeleton(struct bpf_object_skeleton *s) > > void bpf_object__destroy_skeleton(struct bpf_object_skeleton *s) > { > + if (!s) > + return; > + > if (s->progs) > bpf_object__detach_skeleton(s); > if (s->obj) > -- > 2.17.1 >
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c index 7c74342bb668..a07fbd59e4b8 100644 --- a/tools/lib/bpf/libbpf.c +++ b/tools/lib/bpf/libbpf.c @@ -11464,6 +11464,9 @@ void bpf_object__detach_skeleton(struct bpf_object_skeleton *s) void bpf_object__destroy_skeleton(struct bpf_object_skeleton *s) { + if (!s) + return; + if (s->progs) bpf_object__detach_skeleton(s); if (s->obj)
When I checked the code in skelton header file generated with my own bpf prog, I found there may be possible NULL pointer derefence when destroy skelton. Then I checked the in-tree bpf progs, finding that is a common issue. Let's take the generated samples/bpf/xdp_redirect_cpu.skel.h for example. Below is the generated code in xdp_redirect_cpu__create_skeleton(), xdp_redirect_cpu__create_skeleton struct bpf_object_skeleton *s; s = (struct bpf_object_skeleton *)calloc(1, sizeof(*s)); if (!s) goto error; ... error: bpf_object__destroy_skeleton(s); return -ENOMEM; After goto error, the NULL 's' will be deferenced in bpf_object__destroy_skeleton(). We can simply fix this issue by just adding a NULL check in bpf_object__destroy_skeleton(). Fixes: d66562fba ("libbpf: Add BPF object skeleton support") Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Cc: Andrii Nakryiko <andrii@kernel.org> --- tools/lib/bpf/libbpf.c | 3 +++ 1 file changed, 3 insertions(+)