libbpf:fix use empty function pointers in ringbuf_poll

Commit Message

Xin Liu June 5, 2023, 3:34 a.m. UTC

From: zhangmingyi <zhangmingyi5@huawei.com>

The sample_cb of the ring_buffer__new interface can transfer NULL. However,
the system does not check whether sample_cb is NULL during 
ring_buffer__poll, null pointer is used.

Signed-off-by: zhangmingyi <zhangmingyi5@huawei.com>
---
 tools/lib/bpf/ringbuf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stanislav Fomichev June 5, 2023, 5:26 p.m. UTC | #1

On 06/05, Xin Liu wrote:
> From: zhangmingyi <zhangmingyi5@huawei.com>
> 
> The sample_cb of the ring_buffer__new interface can transfer NULL. However,
> the system does not check whether sample_cb is NULL during 
> ring_buffer__poll, null pointer is used.

What is the point of calling ring_buffer__new with sample_cb == NULL?

zhangmingyi June 8, 2023, 12:58 p.m. UTC | #2

On 06/06,Stanislav Fomichev wrote:

> On 06/05, Xin Liu wrote:
> > From: zhangmingyi <zhangmingyi5@huawei.com>
> 
> > The sample_cb of the ring_buffer__new interface can transfer NULL. However,
> > the system does not check whether sample_cb is NULL during 
> > ring_buffer__poll, null pointer is used.

> What is the point of calling ring_buffer__new with sample_cb == NULL?

Yes, as you said, passing sample_cb in ring_buffer__new to NULL doesn't 
make sense, and few people use it that way, but that doesn't prevent this 
from being a allowed and supported scenario. And when ring_buffer__poll is 
called, it leads to a segmentation fault (core dump), which I think needs 
to be fixed to ensure the security quality of libbpf.

Stanislav Fomichev June 8, 2023, 4:27 p.m. UTC | #3

On Thu, Jun 8, 2023 at 6:00 AM zhangmingyi <zhangmingyi5@huawei.com> wrote:
>
> On 06/06,Stanislav Fomichev wrote:
>
> > On 06/05, Xin Liu wrote:
> > > From: zhangmingyi <zhangmingyi5@huawei.com>
> >
> > > The sample_cb of the ring_buffer__new interface can transfer NULL. However,
> > > the system does not check whether sample_cb is NULL during
> > > ring_buffer__poll, null pointer is used.
>
> > What is the point of calling ring_buffer__new with sample_cb == NULL?
>
> Yes, as you said, passing sample_cb in ring_buffer__new to NULL doesn't
> make sense, and few people use it that way, but that doesn't prevent this
> from being a allowed and supported scenario. And when ring_buffer__poll is
> called, it leads to a segmentation fault (core dump), which I think needs
> to be fixed to ensure the security quality of libbpf.

I dunno. I'd argue that passing a NULL to ring_buffer__new is an API
misuse. Maybe ring_buffer__new should return -EINVAL instead when
passed NULL sample_cb? Although, we don't usually have those checks
for the majority of the arguments in libbpf...

Andrii Nakryiko June 8, 2023, 5:38 p.m. UTC | #4

On Thu, Jun 8, 2023 at 9:27 AM Stanislav Fomichev <sdf@google.com> wrote:
>
> On Thu, Jun 8, 2023 at 6:00 AM zhangmingyi <zhangmingyi5@huawei.com> wrote:
> >
> > On 06/06,Stanislav Fomichev wrote:
> >
> > > On 06/05, Xin Liu wrote:
> > > > From: zhangmingyi <zhangmingyi5@huawei.com>
> > >
> > > > The sample_cb of the ring_buffer__new interface can transfer NULL. However,
> > > > the system does not check whether sample_cb is NULL during
> > > > ring_buffer__poll, null pointer is used.
> >
> > > What is the point of calling ring_buffer__new with sample_cb == NULL?
> >
> > Yes, as you said, passing sample_cb in ring_buffer__new to NULL doesn't
> > make sense, and few people use it that way, but that doesn't prevent this
> > from being a allowed and supported scenario. And when ring_buffer__poll is
> > called, it leads to a segmentation fault (core dump), which I think needs
> > to be fixed to ensure the security quality of libbpf.
>
> I dunno. I'd argue that passing a NULL to ring_buffer__new is an API
> misuse. Maybe ring_buffer__new should return -EINVAL instead when
> passed NULL sample_cb? Although, we don't usually have those checks
> for the majority of the arguments in libbpf...

Right. I'd say we should add a proper doc comment specifying all
arguments and which ones are optional or not. And make it explicit
that callback is not optional. If we start checking every possible
pointer for NULL, libbpf will be littered with NULL checks, I'm not
sure that's good.

zhangmingyi June 9, 2023, 9:36 a.m. UTC | #5

On Fri, Jun 9, 2023 at 1:39 AM Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
 
> On Thu, Jun 8, 2023 at 9:27 AM Stanislav Fomichev <sdf@google.com> wrote:
> >
> > On Thu, Jun 8, 2023 at 6:00 AM zhangmingyi <zhangmingyi5@huawei.com> wrote:
> > >
> > > On 06/06,Stanislav Fomichev wrote:
> > >
> > > > On 06/05, Xin Liu wrote:
> > > > > From: zhangmingyi <zhangmingyi5@huawei.com>
> > > >
> > > > > The sample_cb of the ring_buffer__new interface can transfer NULL. However,
> > > > > the system does not check whether sample_cb is NULL during
> > > > > ring_buffer__poll, null pointer is used.
> > >
> > > > What is the point of calling ring_buffer__new with sample_cb == NULL?
> > >
> > > Yes, as you said, passing sample_cb in ring_buffer__new to NULL doesn't
> > > make sense, and few people use it that way, but that doesn't prevent this
> > > from being a allowed and supported scenario. And when ring_buffer__poll is
> > > called, it leads to a segmentation fault (core dump), which I think needs
> > > to be fixed to ensure the security quality of libbpf.
> >
> > I dunno. I'd argue that passing a NULL to ring_buffer__new is an API
> > misuse. Maybe ring_buffer__new should return -EINVAL instead when
> > passed NULL sample_cb? Although, we don't usually have those checks
> > for the majority of the arguments in libbpf...
> 
> Right. I'd say we should add a proper doc comment specifying all
> arguments and which ones are optional or not. And make it explicit
> that callback is not optional. If we start checking every possible
> pointer for NULL, libbpf will be littered with NULL checks, I'm not
> sure that's good.

I agree, we should add a proper doc comment specifying all
arguments and which ones are optional or not.
However, why does the external interface API in libbpf not verify input 
parameters or add verification where risky operations may exist? 
What's more, i think sample_cb=NULL is not strictly a mistake or 
prohibited use, and is meaningless.

Stanislav Fomichev June 9, 2023, 4:55 p.m. UTC | #6

On Fri, Jun 9, 2023 at 2:38 AM zhangmingyi <zhangmingyi5@huawei.com> wrote:
>
> On Fri, Jun 9, 2023 at 1:39 AM Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
>
> > On Thu, Jun 8, 2023 at 9:27 AM Stanislav Fomichev <sdf@google.com> wrote:
> > >
> > > On Thu, Jun 8, 2023 at 6:00 AM zhangmingyi <zhangmingyi5@huawei.com> wrote:
> > > >
> > > > On 06/06,Stanislav Fomichev wrote:
> > > >
> > > > > On 06/05, Xin Liu wrote:
> > > > > > From: zhangmingyi <zhangmingyi5@huawei.com>
> > > > >
> > > > > > The sample_cb of the ring_buffer__new interface can transfer NULL. However,
> > > > > > the system does not check whether sample_cb is NULL during
> > > > > > ring_buffer__poll, null pointer is used.
> > > >
> > > > > What is the point of calling ring_buffer__new with sample_cb == NULL?
> > > >
> > > > Yes, as you said, passing sample_cb in ring_buffer__new to NULL doesn't
> > > > make sense, and few people use it that way, but that doesn't prevent this
> > > > from being a allowed and supported scenario. And when ring_buffer__poll is
> > > > called, it leads to a segmentation fault (core dump), which I think needs
> > > > to be fixed to ensure the security quality of libbpf.
> > >
> > > I dunno. I'd argue that passing a NULL to ring_buffer__new is an API
> > > misuse. Maybe ring_buffer__new should return -EINVAL instead when
> > > passed NULL sample_cb? Although, we don't usually have those checks
> > > for the majority of the arguments in libbpf...
> >
> > Right. I'd say we should add a proper doc comment specifying all
> > arguments and which ones are optional or not. And make it explicit
> > that callback is not optional. If we start checking every possible
> > pointer for NULL, libbpf will be littered with NULL checks, I'm not
> > sure that's good.
>
> I agree, we should add a proper doc comment specifying all
> arguments and which ones are optional or not.
> However, why does the external interface API in libbpf not verify input
> parameters or add verification where risky operations may exist?
> What's more, i think sample_cb=NULL is not strictly a mistake or
> prohibited use, and is meaningless.

It's not really customary in C to do it? So maybe you can follow up
with the update to the doc?

The kindergarten is over, you pass NULL you get SIGSEGV :-D

Andrii Nakryiko June 9, 2023, 6:23 p.m. UTC | #7

On Fri, Jun 9, 2023 at 9:55 AM Stanislav Fomichev <sdf@google.com> wrote:
>
> On Fri, Jun 9, 2023 at 2:38 AM zhangmingyi <zhangmingyi5@huawei.com> wrote:
> >
> > On Fri, Jun 9, 2023 at 1:39 AM Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
> >
> > > On Thu, Jun 8, 2023 at 9:27 AM Stanislav Fomichev <sdf@google.com> wrote:
> > > >
> > > > On Thu, Jun 8, 2023 at 6:00 AM zhangmingyi <zhangmingyi5@huawei.com> wrote:
> > > > >
> > > > > On 06/06,Stanislav Fomichev wrote:
> > > > >
> > > > > > On 06/05, Xin Liu wrote:
> > > > > > > From: zhangmingyi <zhangmingyi5@huawei.com>
> > > > > >
> > > > > > > The sample_cb of the ring_buffer__new interface can transfer NULL. However,
> > > > > > > the system does not check whether sample_cb is NULL during
> > > > > > > ring_buffer__poll, null pointer is used.
> > > > >
> > > > > > What is the point of calling ring_buffer__new with sample_cb == NULL?
> > > > >
> > > > > Yes, as you said, passing sample_cb in ring_buffer__new to NULL doesn't
> > > > > make sense, and few people use it that way, but that doesn't prevent this
> > > > > from being a allowed and supported scenario. And when ring_buffer__poll is
> > > > > called, it leads to a segmentation fault (core dump), which I think needs
> > > > > to be fixed to ensure the security quality of libbpf.
> > > >
> > > > I dunno. I'd argue that passing a NULL to ring_buffer__new is an API
> > > > misuse. Maybe ring_buffer__new should return -EINVAL instead when
> > > > passed NULL sample_cb? Although, we don't usually have those checks
> > > > for the majority of the arguments in libbpf...
> > >
> > > Right. I'd say we should add a proper doc comment specifying all
> > > arguments and which ones are optional or not. And make it explicit
> > > that callback is not optional. If we start checking every possible
> > > pointer for NULL, libbpf will be littered with NULL checks, I'm not
> > > sure that's good.
> >
> > I agree, we should add a proper doc comment specifying all
> > arguments and which ones are optional or not.
> > However, why does the external interface API in libbpf not verify input
> > parameters or add verification where risky operations may exist?
> > What's more, i think sample_cb=NULL is not strictly a mistake or
> > prohibited use, and is meaningless.
>
> It's not really customary in C to do it? So maybe you can follow up
> with the update to the doc?

Yep, we do not check every `struct bpf_object *` pointer to be non-NULL.

Having said that, I don't think it's such a big deal to make this
callback optional by assigning a no-op callback.

So let's definitely update doc comments to be explicit about one way
or the other. For the callback, let's just not do it on every record.
Just once during initialization would be better.

>
> The kindergarten is over, you pass NULL you get SIGSEGV :-D

Patch

diff --git a/tools/lib/bpf/ringbuf.c b/tools/lib/bpf/ringbuf.c
index 02199364db13..3661338a1d2e 100644
--- a/tools/lib/bpf/ringbuf.c
+++ b/tools/lib/bpf/ringbuf.c
@@ -248,7 +248,7 @@  static int64_t ringbuf_process_ring(struct ring *r)
 			got_new_data = true;
 			cons_pos += roundup_len(len);
 
-			if ((len & BPF_RINGBUF_DISCARD_BIT) == 0) {
+			if (r->sample_cb && ((len & BPF_RINGBUF_DISCARD_BIT) == 0)) {
 				sample = (void *)len_ptr + BPF_RINGBUF_HDR_SZ;
 				err = r->sample_cb(r->ctx, sample, len);
 				if (err < 0) {