Message ID | 20221022110529.51857-1-liuxin350@huawei.com (mailing list archive) |
---|---|
State | Rejected |
Delegated to: | BPF |
Headers | show |
Series | libbpf: glob_sym may be a NULL pointer and cause the program crash | expand |
Context | Check | Description |
---|---|---|
bpf/vmtest-bpf-next-VM_Test-4 | success | Logs for llvm-toolchain |
bpf/vmtest-bpf-next-VM_Test-5 | success | Logs for set-matrix |
bpf/vmtest-bpf-next-VM_Test-2 | success | Logs for build for x86_64 with gcc |
bpf/vmtest-bpf-next-VM_Test-3 | success | Logs for build for x86_64 with llvm-16 |
bpf/vmtest-bpf-next-PR | success | PR summary |
bpf/vmtest-bpf-next-VM_Test-1 | success | Logs for build for s390x with gcc |
bpf/vmtest-bpf-next-VM_Test-6 | success | Logs for test_maps on s390x with gcc |
bpf/vmtest-bpf-next-VM_Test-7 | success | Logs for test_maps on x86_64 with gcc |
bpf/vmtest-bpf-next-VM_Test-8 | success | Logs for test_maps on x86_64 with llvm-16 |
bpf/vmtest-bpf-next-VM_Test-9 | success | Logs for test_progs on s390x with gcc |
bpf/vmtest-bpf-next-VM_Test-10 | success | Logs for test_progs on x86_64 with gcc |
bpf/vmtest-bpf-next-VM_Test-11 | success | Logs for test_progs on x86_64 with llvm-16 |
bpf/vmtest-bpf-next-VM_Test-12 | success | Logs for test_progs_no_alu32 on s390x with gcc |
bpf/vmtest-bpf-next-VM_Test-13 | success | Logs for test_progs_no_alu32 on x86_64 with gcc |
bpf/vmtest-bpf-next-VM_Test-14 | success | Logs for test_progs_no_alu32 on x86_64 with llvm-16 |
bpf/vmtest-bpf-next-VM_Test-15 | success | Logs for test_verifier on s390x with gcc |
bpf/vmtest-bpf-next-VM_Test-16 | success | Logs for test_verifier on x86_64 with gcc |
bpf/vmtest-bpf-next-VM_Test-17 | success | Logs for test_verifier on x86_64 with llvm-16 |
netdev/tree_selection | success | Not a local patch |
On Sat, Oct 22, 2022 at 4:05 AM Xin Liu <liuxin350@huawei.com> wrote: > > I found that `glob_sym` does not check whether it is NULL when reading the > code. `glob_sym` obtains the pointer of btf information in the linker from > `find_glob_sym`, which may be return NULL pointer. However, the code then > references `glob_sym->sec_id`. This may cause program to crash. > May cause a crash or did you actually see an example of such a crash? As far as I can see from the code, such global_sym is guaranteed to exist, see how btf_type_map is filled in linker_append_btf(), slightly above the code you are trying to fix > Fixes: a46349227cd8 ("libbpf: Add linker extern resolution support for functions and global variables") > Signed-off-by: Xin Liu <liuxin350@huawei.com> > Signed-off-by: Weibin Kong <kongweibin2@huawei.com> > --- > tools/lib/bpf/linker.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c > index 4ac02c28e152..d02d2754910f 100644 > --- a/tools/lib/bpf/linker.c > +++ b/tools/lib/bpf/linker.c > @@ -2355,6 +2355,11 @@ static int linker_append_btf(struct bpf_linker *linker, struct src_obj *obj) > if (btf_is_non_static(t)) { > name = btf__str_by_offset(linker->btf, t->name_off); > glob_sym = find_glob_sym(linker, name); > + if (!glob_sym) { > + pr_warn("global '%s': section mismatch %d\n", name, > + dst_sec->id); > + return -EINVAL; > + } > if (glob_sym->sec_id != dst_sec->id) { > pr_warn("global '%s': section mismatch %d vs %d\n", > name, glob_sym->sec_id, dst_sec->id); > -- > 2.33.0 >
diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c index 4ac02c28e152..d02d2754910f 100644 --- a/tools/lib/bpf/linker.c +++ b/tools/lib/bpf/linker.c @@ -2355,6 +2355,11 @@ static int linker_append_btf(struct bpf_linker *linker, struct src_obj *obj) if (btf_is_non_static(t)) { name = btf__str_by_offset(linker->btf, t->name_off); glob_sym = find_glob_sym(linker, name); + if (!glob_sym) { + pr_warn("global '%s': section mismatch %d\n", name, + dst_sec->id); + return -EINVAL; + } if (glob_sym->sec_id != dst_sec->id) { pr_warn("global '%s': section mismatch %d vs %d\n", name, glob_sym->sec_id, dst_sec->id);