[bpf-next,v2,0/2] bpf: fix null pointer access for malformed BPF_CORE_TYPE_ID_LOCAL relos

Message ID	20240822001837.2715909-1-eddyz87@gmail.com (mailing list archive)
Headers	show Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com [209.85.210.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC5EA4C81 for <bpf@vger.kernel.org>; Thu, 22 Aug 2024 00:18:51 +0000 (UTC) From: Eduard Zingerman <eddyz87@gmail.com> To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, kernel-team@fb.com, yonghong.song@linux.dev, cnitlrt@gmail.com, Eduard Zingerman <eddyz87@gmail.com> Subject: [PATCH bpf-next v2 0/2] bpf: fix null pointer access for malformed BPF_CORE_TYPE_ID_LOCAL relos Date: Wed, 21 Aug 2024 17:18:35 -0700 Message-ID: <20240822001837.2715909-1-eddyz87@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	bpf: fix null pointer access for malformed BPF_CORE_TYPE_ID_LOCAL relos \| expand [bpf-next,v2,0/2] bpf: fix null pointer access for malformed BPF_CORE_TYPE_ID_LOCAL relos [bpf-next,v2,1/2] bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos [bpf-next,v2,2/2] selftests/bpf: test for malformed BPF_CORE_TYPE_ID_LOCAL relocation

Message ID

20240822001837.2715909-1-eddyz87@gmail.com (mailing list archive)

Headers

From: Eduard Zingerman <eddyz87@gmail.com>
To: bpf@vger.kernel.org,
	ast@kernel.org
Cc: andrii@kernel.org,
	daniel@iogearbox.net,
	martin.lau@linux.dev,
	kernel-team@fb.com,
	yonghong.song@linux.dev,
	cnitlrt@gmail.com,
	Eduard Zingerman <eddyz87@gmail.com>
Subject: [PATCH bpf-next v2 0/2] bpf: fix null pointer access for malformed
 BPF_CORE_TYPE_ID_LOCAL relos
Date: Wed, 21 Aug 2024 17:18:35 -0700
Message-ID: <20240822001837.2715909-1-eddyz87@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

bpf: fix null pointer access for malformed BPF_CORE_TYPE_ID_LOCAL relos | expand

Message

Eduard Zingerman Aug. 22, 2024, 12:18 a.m. UTC

Liu RuiTong reported an in-kernel null pointer derefence when
processing BPF_CORE_TYPE_ID_LOCAL relocations referencing non-existing
BTF types. Fix this by adding proper id checks.

Changes v1->v2:
- moved check from bpf_core_calc_relo_insn() to bpf_core_apply()
  now both in kernel and in libbpf relocation type id is guaranteed
  to exist when bpf_core_calc_relo_insn() is called;
- added a test case.

v1: https://lore.kernel.org/bpf/20240821164620.1056362-1-eddyz87@gmail.com/

Eduard Zingerman (2):
  bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos
  selftests/bpf: test for malformed BPF_CORE_TYPE_ID_LOCAL relocation

 kernel/bpf/btf.c                              |   8 ++
 .../selftests/bpf/prog_tests/core_reloc_raw.c | 124 ++++++++++++++++++
 2 files changed, 132 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/core_reloc_raw.c