[bpf,v2,0/3] samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug

Message ID	20230917214220.637721-1-jinghao7@illinois.edu (mailing list archive)
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 456D86FC1 for <bpf@vger.kernel.org>; Sun, 17 Sep 2023 21:43:03 +0000 (UTC) From: Jinghao Jia <jinghao7@illinois.edu> To: bpf@vger.kernel.org Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, jinghao@linux.ibm.com, Jinghao Jia <jinghao7@illinois.edu> Subject: [PATCH bpf v2 0/3] samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug Date: Sun, 17 Sep 2023 16:42:17 -0500 Message-ID: <20230917214220.637721-1-jinghao7@illinois.edu> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug \| expand [bpf,v2,0/3] samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug [bpf,v2,1/3] samples/bpf: Add -fsanitize=bounds to userspace programs [bpf,v2,2/3] samples/bpf: syscall_tp_user: Rename num_progs into nr_tests [bpf,v2,3/3] samples/bpf: syscall_tp_user: Fix array out-of-bound access

Message ID

20230917214220.637721-1-jinghao7@illinois.edu (mailing list archive)

Headers

From: Jinghao Jia <jinghao7@illinois.edu>
To: bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
        jinghao@linux.ibm.com, Jinghao Jia <jinghao7@illinois.edu>
Subject: [PATCH bpf v2 0/3] samples/bpf: syscall_tp_user: Refactor and fix
 array index out-of-bounds bug
Date: Sun, 17 Sep 2023 16:42:17 -0500
Message-ID: <20230917214220.637721-1-jinghao7@illinois.edu>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug | expand

Message

Jinghao Jia Sept. 17, 2023, 9:42 p.m. UTC

There are currently 6 BPF programs in syscall_tp_kern but the array to
hold the corresponding bpf_links in syscall_tp_user only has space for 4
programs, given the array size is hardcoded. This causes the sample
program to fail due to an out-of-bound access that corrupts other stack
variables:

  # ./syscall_tp
  prog #0: map ids 4 5
  verify map:4 val: 5
  map_lookup failed: Bad file descriptor

This patch series aims to solve this issue for now and for the future.
It first adds the -fsanitize=bounds flag to make similar bugs more
obvious at runtime. It then refactors syscall_tp_user to retrieve the
number of programs from the bpf_object and dynamically allocate the
array of bpf_links to avoid inconsistencies from hardcoding.

Changelog:
---
v1 -> v2
v1: https://lore.kernel.org/all/20230818164643.97782-1-jinghao@linux.ibm.com/

* Address feedback from Daniel
  * Add missing NULL check for calloc return value.
  * Remove the extra operation that sets links pointer to NULL after free.

Jinghao Jia (3):
  samples/bpf: Add -fsanitize=bounds to userspace programs
  samples/bpf: syscall_tp_user: Rename num_progs into nr_tests
  samples/bpf: syscall_tp_user: Fix array out-of-bound access

 samples/bpf/Makefile          |  1 +
 samples/bpf/syscall_tp_user.c | 45 ++++++++++++++++++++++++-----------
 2 files changed, 32 insertions(+), 14 deletions(-)

--
2.42.0

Comments

patchwork-bot+netdevbpf@kernel.org Sept. 21, 2023, 9:40 p.m. UTC | #1

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Sun, 17 Sep 2023 16:42:17 -0500 you wrote:
> There are currently 6 BPF programs in syscall_tp_kern but the array to
> hold the corresponding bpf_links in syscall_tp_user only has space for 4
> programs, given the array size is hardcoded. This causes the sample
> program to fail due to an out-of-bound access that corrupts other stack
> variables:
> 
>   # ./syscall_tp
>   prog #0: map ids 4 5
>   verify map:4 val: 5
>   map_lookup failed: Bad file descriptor
> 
> [...]

Here is the summary with links:
  - [bpf,v2,1/3] samples/bpf: Add -fsanitize=bounds to userspace programs
    (no matching commit)
  - [bpf,v2,2/3] samples/bpf: syscall_tp_user: Rename num_progs into nr_tests
    https://git.kernel.org/bpf/bpf-next/c/0ee352fe0d28
  - [bpf,v2,3/3] samples/bpf: syscall_tp_user: Fix array out-of-bound access
    https://git.kernel.org/bpf/bpf-next/c/9220c3ef6fef

You are awesome, thank you!