diff mbox series

[bpf,1/3] libbpf: use elf_getshdrnum() instead of e_shnum

Message ID 20221007174816.17536-2-shung-hsi.yu@suse.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series libbpf: fix fuzzer-reported issues | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for bpf
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Series has a cover letter
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 12 of 12 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 28 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-VM_Test-13 success Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-PR fail PR summary
bpf/vmtest-bpf-VM_Test-4 success Logs for llvm-toolchain
bpf/vmtest-bpf-VM_Test-5 success Logs for set-matrix
bpf/vmtest-bpf-VM_Test-2 success Logs for build for x86_64 with gcc
bpf/vmtest-bpf-VM_Test-3 success Logs for build for x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-1 success Logs for build for s390x with gcc
bpf/vmtest-bpf-VM_Test-15 success Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-VM_Test-16 success Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-6 success Logs for test_maps on s390x with gcc
bpf/vmtest-bpf-VM_Test-7 success Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-12 fail Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-VM_Test-14 success Logs for test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-17 success Logs for test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-8 success Logs for test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-9 fail Logs for test_progs on s390x with gcc
bpf/vmtest-bpf-VM_Test-10 success Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-11 success Logs for test_progs on x86_64 with llvm-16

Commit Message

Shung-Hsi Yu Oct. 7, 2022, 5:48 p.m. UTC 
This commit replace e_shnum with the elf_getshdrnum() helper to fix two
oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both
reports are incorrectly marked as fixed and while still being
reproducible in the latest libbpf.

  # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704
  libbpf: loading object 'fuzz-object' from buffer
  libbpf: sec_cnt is 0
  libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2
  libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1
  =================================================================
  ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8
  WRITE of size 4 at 0x6020000000c0 thread T0
  SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)
      #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24
      #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16
      #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20
      ...

The issue lie in libbpf's direct use of e_shnum field in ELF header as
the section header count. Where as libelf, on the other hand,
implemented an extra logic that, when e_shnum is zero and e_shoff is not
zero, will use sh_size member of the initial section header as the real
section header count (part of ELF spec to accommodate situation where
section header counter is larger than SHN_LORESERVE).

The above inconsistency lead to libbpf writing into a zero-entry calloc
area. So intead of using e_shnum directly, use the elf_getshdrnum()
helper provided by libelf to retrieve the section header counter into
sec_cnt.

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
Fixes: 0d6988e16a12 ("libbpf: Fix section counting logic")
Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
---

To be honest I'm not sure if any of the BPF toolchain will produce such
ELF binary. Tools like readelf simply refuse to dump section header
table when e_shnum==0 && e_shoff !=0 case is encountered.

While we can use same approach as readelf, opting for a coherent view
with libelf for now since that should be less confusing.

---
 tools/lib/bpf/libbpf.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--
2.37.3

Comments

Andrii Nakryiko Oct. 11, 2022, 12:44 a.m. UTC | #1 
On Fri, Oct 7, 2022 at 10:48 AM Shung-Hsi Yu <shung-hsi.yu@suse.com> wrote:
>
> This commit replace e_shnum with the elf_getshdrnum() helper to fix two
> oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both
> reports are incorrectly marked as fixed and while still being
> reproducible in the latest libbpf.
>
>   # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704
>   libbpf: loading object 'fuzz-object' from buffer
>   libbpf: sec_cnt is 0
>   libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2
>   libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1
>   =================================================================
>   ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8
>   WRITE of size 4 at 0x6020000000c0 thread T0
>   SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)
>       #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24
>       #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16
>       #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20
>       ...
>
> The issue lie in libbpf's direct use of e_shnum field in ELF header as
> the section header count. Where as libelf, on the other hand,
> implemented an extra logic that, when e_shnum is zero and e_shoff is not
> zero, will use sh_size member of the initial section header as the real
> section header count (part of ELF spec to accommodate situation where
> section header counter is larger than SHN_LORESERVE).
>
> The above inconsistency lead to libbpf writing into a zero-entry calloc
> area. So intead of using e_shnum directly, use the elf_getshdrnum()
> helper provided by libelf to retrieve the section header counter into
> sec_cnt.
>
> Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
> Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
> Fixes: 0d6988e16a12 ("libbpf: Fix section counting logic")
> Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
> Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
> ---
>
> To be honest I'm not sure if any of the BPF toolchain will produce such
> ELF binary. Tools like readelf simply refuse to dump section header
> table when e_shnum==0 && e_shoff !=0 case is encountered.
>
> While we can use same approach as readelf, opting for a coherent view
> with libelf for now since that should be less confusing.
>
> ---
>  tools/lib/bpf/libbpf.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 184ce1684dcd..a64e13c654f3 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -597,7 +597,7 @@ struct elf_state {
>         size_t shstrndx; /* section index for section name strings */
>         size_t strtabidx;
>         struct elf_sec_desc *secs;
> -       int sec_cnt;
> +       size_t sec_cnt;
>         int btf_maps_shndx;
>         __u32 btf_maps_sec_btf_id;
>         int text_shndx;
> @@ -1369,6 +1369,13 @@ static int bpf_object__elf_init(struct bpf_object *obj)
>                 goto errout;
>         }
>
> +       if (elf_getshdrnum(obj->efile.elf, &obj->efile.sec_cnt)) {

It bothers me that sec_cnt is initialized in bpf_object__elf_init, but
secs are allocated a bit later in bpf_object__elf_collect(). What if
we move elf_getshdrnum() call and sec_cnt initialization into
bpf_object__elf_collect()?

> +               pr_warn("elf: failed to get the number of sections for %s: %s\n",
> +                       obj->path, elf_errmsg(-1));
> +               err = -LIBBPF_ERRNO__FORMAT;
> +               goto errout;
> +       }
> +
>         /* Elf is corrupted/truncated, avoid calling elf_strptr. */
>         if (!elf_rawdata(elf_getscn(elf, obj->efile.shstrndx), NULL)) {
>                 pr_warn("elf: failed to get section names strings from %s: %s\n",
> @@ -3315,7 +3322,6 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
>          * section. e_shnum does include sec #0, so e_shnum is the necessary
>          * size of an array to keep all the sections.
>          */
> -       obj->efile.sec_cnt = obj->efile.ehdr->e_shnum;
>         obj->efile.secs = calloc(obj->efile.sec_cnt, sizeof(*obj->efile.secs));
>         if (!obj->efile.secs)
>                 return -ENOMEM;
> --
> 2.37.3
>
Shung-Hsi Yu Oct. 11, 2022, 3:55 a.m. UTC | #2 
On Mon, Oct 10, 2022 at 05:44:20PM -0700, Andrii Nakryiko wrote:
> On Fri, Oct 7, 2022 at 10:48 AM Shung-Hsi Yu <shung-hsi.yu@suse.com> wrote:
> >
> > This commit replace e_shnum with the elf_getshdrnum() helper to fix two
> > oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both
> > reports are incorrectly marked as fixed and while still being
> > reproducible in the latest libbpf.
> >
> >   # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704
> >   libbpf: loading object 'fuzz-object' from buffer
> >   libbpf: sec_cnt is 0
> >   libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2
> >   libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1
> >   =================================================================
> >   ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8
> >   WRITE of size 4 at 0x6020000000c0 thread T0
> >   SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)
> >       #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24
> >       #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16
> >       #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20
> >       ...
> >
> > The issue lie in libbpf's direct use of e_shnum field in ELF header as
> > the section header count. Where as libelf, on the other hand,
> > implemented an extra logic that, when e_shnum is zero and e_shoff is not
> > zero, will use sh_size member of the initial section header as the real
> > section header count (part of ELF spec to accommodate situation where
> > section header counter is larger than SHN_LORESERVE).
> >
> > The above inconsistency lead to libbpf writing into a zero-entry calloc
> > area. So intead of using e_shnum directly, use the elf_getshdrnum()
> > helper provided by libelf to retrieve the section header counter into
> > sec_cnt.
> >
> > Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
> > Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
> > Fixes: 0d6988e16a12 ("libbpf: Fix section counting logic")
> > Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
> > Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
> > ---
> >
> > To be honest I'm not sure if any of the BPF toolchain will produce such
> > ELF binary. Tools like readelf simply refuse to dump section header
> > table when e_shnum==0 && e_shoff !=0 case is encountered.
> >
> > While we can use same approach as readelf, opting for a coherent view
> > with libelf for now since that should be less confusing.
> >
> > ---
> >  tools/lib/bpf/libbpf.c | 10 ++++++++--
> >  1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > index 184ce1684dcd..a64e13c654f3 100644
> > --- a/tools/lib/bpf/libbpf.c
> > +++ b/tools/lib/bpf/libbpf.c
> > @@ -597,7 +597,7 @@ struct elf_state {
> >         size_t shstrndx; /* section index for section name strings */
> >         size_t strtabidx;
> >         struct elf_sec_desc *secs;
> > -       int sec_cnt;
> > +       size_t sec_cnt;
> >         int btf_maps_shndx;
> >         __u32 btf_maps_sec_btf_id;
> >         int text_shndx;
> > @@ -1369,6 +1369,13 @@ static int bpf_object__elf_init(struct bpf_object *obj)
> >                 goto errout;
> >         }
> >
> > +       if (elf_getshdrnum(obj->efile.elf, &obj->efile.sec_cnt)) {
> 
> It bothers me that sec_cnt is initialized in bpf_object__elf_init, but
> secs are allocated a bit later in bpf_object__elf_collect(). What if
> we move elf_getshdrnum() call and sec_cnt initialization into
> bpf_object__elf_collect()?

Ack.

My rational for placing it there was that it's closer to other elf_*()
helper calls, but having it close to the allocation where it's used seems
like a better option.

Will change accordingly and send a v2 based on top of bpf-next.

> > +               pr_warn("elf: failed to get the number of sections for %s: %s\n",
> > +                       obj->path, elf_errmsg(-1));
> > +               err = -LIBBPF_ERRNO__FORMAT;
> > +               goto errout;
> > +       }
> > +
> >         /* Elf is corrupted/truncated, avoid calling elf_strptr. */
> >         if (!elf_rawdata(elf_getscn(elf, obj->efile.shstrndx), NULL)) {
> >                 pr_warn("elf: failed to get section names strings from %s: %s\n",
> > @@ -3315,7 +3322,6 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
> >          * section. e_shnum does include sec #0, so e_shnum is the necessary
> >          * size of an array to keep all the sections.
> >          */
> > -       obj->efile.sec_cnt = obj->efile.ehdr->e_shnum;
> >         obj->efile.secs = calloc(obj->efile.sec_cnt, sizeof(*obj->efile.secs));
> >         if (!obj->efile.secs)
> >                 return -ENOMEM;
> > --
> > 2.37.3
> >
Shung-Hsi Yu Oct. 11, 2022, 2:53 p.m. UTC | #3 
On Tue, Oct 11, 2022 at 11:55:21AM +0800, Shung-Hsi Yu wrote:
> On Mon, Oct 10, 2022 at 05:44:20PM -0700, Andrii Nakryiko wrote:
> > On Fri, Oct 7, 2022 at 10:48 AM Shung-Hsi Yu <shung-hsi.yu@suse.com> wrote:
> > >
> > > This commit replace e_shnum with the elf_getshdrnum() helper to fix two
> > > oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both
> > > reports are incorrectly marked as fixed and while still being
> > > reproducible in the latest libbpf.
> > >
> > >   # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704
> > >   libbpf: loading object 'fuzz-object' from buffer
> > >   libbpf: sec_cnt is 0
> > >   libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2
> > >   libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1
> > >   =================================================================
> > >   ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8
> > >   WRITE of size 4 at 0x6020000000c0 thread T0
> > >   SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)
> > >       #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24
> > >       #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16
> > >       #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20
> > >       ...
> > >
> > > The issue lie in libbpf's direct use of e_shnum field in ELF header as
> > > the section header count. Where as libelf, on the other hand,
> > > implemented an extra logic that, when e_shnum is zero and e_shoff is not
> > > zero, will use sh_size member of the initial section header as the real
> > > section header count (part of ELF spec to accommodate situation where
> > > section header counter is larger than SHN_LORESERVE).
> > >
> > > The above inconsistency lead to libbpf writing into a zero-entry calloc
> > > area. So intead of using e_shnum directly, use the elf_getshdrnum()
> > > helper provided by libelf to retrieve the section header counter into
> > > sec_cnt.
> > >
> > > Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
> > > Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
> > > Fixes: 0d6988e16a12 ("libbpf: Fix section counting logic")
> > > Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
> > > Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
> > > ---
> > >
> > > To be honest I'm not sure if any of the BPF toolchain will produce such
> > > ELF binary. Tools like readelf simply refuse to dump section header
> > > table when e_shnum==0 && e_shoff !=0 case is encountered.
> > >
> > > While we can use same approach as readelf, opting for a coherent view
> > > with libelf for now since that should be less confusing.
> > >
> > > ---
> > >  tools/lib/bpf/libbpf.c | 10 ++++++++--
> > >  1 file changed, 8 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > > index 184ce1684dcd..a64e13c654f3 100644
> > > --- a/tools/lib/bpf/libbpf.c
> > > +++ b/tools/lib/bpf/libbpf.c
> > > @@ -597,7 +597,7 @@ struct elf_state {
> > >         size_t shstrndx; /* section index for section name strings */
> > >         size_t strtabidx;
> > >         struct elf_sec_desc *secs;
> > > -       int sec_cnt;
> > > +       size_t sec_cnt;
> > >         int btf_maps_shndx;
> > >         __u32 btf_maps_sec_btf_id;
> > >         int text_shndx;
> > > @@ -1369,6 +1369,13 @@ static int bpf_object__elf_init(struct bpf_object *obj)
> > >                 goto errout;
> > >         }
> > >
> > > +       if (elf_getshdrnum(obj->efile.elf, &obj->efile.sec_cnt)) {
> > 
> > It bothers me that sec_cnt is initialized in bpf_object__elf_init, but
> > secs are allocated a bit later in bpf_object__elf_collect(). What if
> > we move elf_getshdrnum() call and sec_cnt initialization into
> > bpf_object__elf_collect()?
> 
> Ack.
> 
> My rational for placing it there was that it's closer to other elf_*()
> helper calls, but having it close to the allocation where it's used seems
> like a better option.
> 
> Will change accordingly and send a v2 based on top of bpf-next.
> 
> > > +               pr_warn("elf: failed to get the number of sections for %s: %s\n",
> > > +                       obj->path, elf_errmsg(-1));
> > > +               err = -LIBBPF_ERRNO__FORMAT;
> > > +               goto errout;
> > > +       }
> > > +
> > >         /* Elf is corrupted/truncated, avoid calling elf_strptr. */
> > >         if (!elf_rawdata(elf_getscn(elf, obj->efile.shstrndx), NULL)) {
> > >                 pr_warn("elf: failed to get section names strings from %s: %s\n",
> > > @@ -3315,7 +3322,6 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
> > >          * section. e_shnum does include sec #0, so e_shnum is the necessary
> > >          * size of an array to keep all the sections.
> > >          */
> > > -       obj->efile.sec_cnt = obj->efile.ehdr->e_shnum;
> > >         obj->efile.secs = calloc(obj->efile.sec_cnt, sizeof(*obj->efile.secs));

Looking again I realized we're still allocation one more section than
necessary, even after 0d6988e16a12 ("libbpf: Fix section counting logic").

elf_nextscn() skips sec #0, so (sec_cnt - 1) * sizeof(secs) should suffice.

  /* In elfutils/libelf/elf_nextscn.c */
  Elf_Scn *elf_nextscn (Elf *elf, Elf_Scn *scn)
  {
    ...
  
    if (scn == NULL)
      {
        /* If no section handle is given return the first (not 0th) section.
  	 Set scn to the 0th section and perform nextscn.  */
        if (elf->class == ELFCLASS32
  	   || (offsetof (Elf, state.elf32.scns)
  	       == offsetof (Elf, state.elf64.scns)))
  	list = &elf->state.elf32.scns;
        else
  	list = &elf->state.elf64.scns;
  
        scn = &list->data[0];
      }
    ...
  }

What do you think? If it make sense then I'll place the sec_cnt - 1 change
before the current patch unless otherwise suggested.

> > >         if (!obj->efile.secs)
> > >                 return -ENOMEM;
> > > --
> > > 2.37.3
> > >
Andrii Nakryiko Oct. 11, 2022, 4:06 p.m. UTC | #4 
On Tue, Oct 11, 2022 at 7:53 AM Shung-Hsi Yu <shung-hsi.yu@suse.com> wrote:
>
> On Tue, Oct 11, 2022 at 11:55:21AM +0800, Shung-Hsi Yu wrote:
> > On Mon, Oct 10, 2022 at 05:44:20PM -0700, Andrii Nakryiko wrote:
> > > On Fri, Oct 7, 2022 at 10:48 AM Shung-Hsi Yu <shung-hsi.yu@suse.com> wrote:
> > > >
> > > > This commit replace e_shnum with the elf_getshdrnum() helper to fix two
> > > > oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both
> > > > reports are incorrectly marked as fixed and while still being
> > > > reproducible in the latest libbpf.
> > > >
> > > >   # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704
> > > >   libbpf: loading object 'fuzz-object' from buffer
> > > >   libbpf: sec_cnt is 0
> > > >   libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2
> > > >   libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1
> > > >   =================================================================
> > > >   ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8
> > > >   WRITE of size 4 at 0x6020000000c0 thread T0
> > > >   SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)
> > > >       #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24
> > > >       #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16
> > > >       #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20
> > > >       ...
> > > >
> > > > The issue lie in libbpf's direct use of e_shnum field in ELF header as
> > > > the section header count. Where as libelf, on the other hand,
> > > > implemented an extra logic that, when e_shnum is zero and e_shoff is not
> > > > zero, will use sh_size member of the initial section header as the real
> > > > section header count (part of ELF spec to accommodate situation where
> > > > section header counter is larger than SHN_LORESERVE).
> > > >
> > > > The above inconsistency lead to libbpf writing into a zero-entry calloc
> > > > area. So intead of using e_shnum directly, use the elf_getshdrnum()
> > > > helper provided by libelf to retrieve the section header counter into
> > > > sec_cnt.
> > > >
> > > > Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
> > > > Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
> > > > Fixes: 0d6988e16a12 ("libbpf: Fix section counting logic")
> > > > Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
> > > > Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
> > > > ---
> > > >
> > > > To be honest I'm not sure if any of the BPF toolchain will produce such
> > > > ELF binary. Tools like readelf simply refuse to dump section header
> > > > table when e_shnum==0 && e_shoff !=0 case is encountered.
> > > >
> > > > While we can use same approach as readelf, opting for a coherent view
> > > > with libelf for now since that should be less confusing.
> > > >
> > > > ---
> > > >  tools/lib/bpf/libbpf.c | 10 ++++++++--
> > > >  1 file changed, 8 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > > > index 184ce1684dcd..a64e13c654f3 100644
> > > > --- a/tools/lib/bpf/libbpf.c
> > > > +++ b/tools/lib/bpf/libbpf.c
> > > > @@ -597,7 +597,7 @@ struct elf_state {
> > > >         size_t shstrndx; /* section index for section name strings */
> > > >         size_t strtabidx;
> > > >         struct elf_sec_desc *secs;
> > > > -       int sec_cnt;
> > > > +       size_t sec_cnt;
> > > >         int btf_maps_shndx;
> > > >         __u32 btf_maps_sec_btf_id;
> > > >         int text_shndx;
> > > > @@ -1369,6 +1369,13 @@ static int bpf_object__elf_init(struct bpf_object *obj)
> > > >                 goto errout;
> > > >         }
> > > >
> > > > +       if (elf_getshdrnum(obj->efile.elf, &obj->efile.sec_cnt)) {
> > >
> > > It bothers me that sec_cnt is initialized in bpf_object__elf_init, but
> > > secs are allocated a bit later in bpf_object__elf_collect(). What if
> > > we move elf_getshdrnum() call and sec_cnt initialization into
> > > bpf_object__elf_collect()?
> >
> > Ack.
> >
> > My rational for placing it there was that it's closer to other elf_*()
> > helper calls, but having it close to the allocation where it's used seems
> > like a better option.
> >
> > Will change accordingly and send a v2 based on top of bpf-next.
> >
> > > > +               pr_warn("elf: failed to get the number of sections for %s: %s\n",
> > > > +                       obj->path, elf_errmsg(-1));
> > > > +               err = -LIBBPF_ERRNO__FORMAT;
> > > > +               goto errout;
> > > > +       }
> > > > +
> > > >         /* Elf is corrupted/truncated, avoid calling elf_strptr. */
> > > >         if (!elf_rawdata(elf_getscn(elf, obj->efile.shstrndx), NULL)) {
> > > >                 pr_warn("elf: failed to get section names strings from %s: %s\n",
> > > > @@ -3315,7 +3322,6 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
> > > >          * section. e_shnum does include sec #0, so e_shnum is the necessary
> > > >          * size of an array to keep all the sections.
> > > >          */
> > > > -       obj->efile.sec_cnt = obj->efile.ehdr->e_shnum;
> > > >         obj->efile.secs = calloc(obj->efile.sec_cnt, sizeof(*obj->efile.secs));
>
> Looking again I realized we're still allocation one more section than
> necessary, even after 0d6988e16a12 ("libbpf: Fix section counting logic").

Yes, that's by design so to preserve ELF's 1-based indexing and not
have to constantly adjust section index by -1 to do a lookup. Please
keep it as is.

>
> elf_nextscn() skips sec #0, so (sec_cnt - 1) * sizeof(secs) should suffice.
>
>   /* In elfutils/libelf/elf_nextscn.c */
>   Elf_Scn *elf_nextscn (Elf *elf, Elf_Scn *scn)
>   {
>     ...
>
>     if (scn == NULL)
>       {
>         /* If no section handle is given return the first (not 0th) section.
>          Set scn to the 0th section and perform nextscn.  */
>         if (elf->class == ELFCLASS32
>            || (offsetof (Elf, state.elf32.scns)
>                == offsetof (Elf, state.elf64.scns)))
>         list = &elf->state.elf32.scns;
>         else
>         list = &elf->state.elf64.scns;
>
>         scn = &list->data[0];
>       }
>     ...
>   }
>
> What do you think? If it make sense then I'll place the sec_cnt - 1 change
> before the current patch unless otherwise suggested.
>
> > > >         if (!obj->efile.secs)
> > > >                 return -ENOMEM;
> > > > --
> > > > 2.37.3
> > > >
Shung-Hsi Yu Oct. 12, 2022, 1:50 a.m. UTC | #5 
On Tue, Oct 11, 2022 at 09:06:03AM -0700, Andrii Nakryiko wrote:
> On Tue, Oct 11, 2022 at 7:53 AM Shung-Hsi Yu <shung-hsi.yu@suse.com> wrote:
> >
> > On Tue, Oct 11, 2022 at 11:55:21AM +0800, Shung-Hsi Yu wrote:
> > > On Mon, Oct 10, 2022 at 05:44:20PM -0700, Andrii Nakryiko wrote:
> > > > On Fri, Oct 7, 2022 at 10:48 AM Shung-Hsi Yu <shung-hsi.yu@suse.com> wrote:
> > > > >
> > > > > This commit replace e_shnum with the elf_getshdrnum() helper to fix two
> > > > > oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both
> > > > > reports are incorrectly marked as fixed and while still being
> > > > > reproducible in the latest libbpf.
> > > > >
> > > > >   # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704
> > > > >   libbpf: loading object 'fuzz-object' from buffer
> > > > >   libbpf: sec_cnt is 0
> > > > >   libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2
> > > > >   libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1
> > > > >   =================================================================
> > > > >   ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8
> > > > >   WRITE of size 4 at 0x6020000000c0 thread T0
> > > > >   SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)
> > > > >       #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24
> > > > >       #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16
> > > > >       #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20
> > > > >       ...
> > > > >
> > > > > The issue lie in libbpf's direct use of e_shnum field in ELF header as
> > > > > the section header count. Where as libelf, on the other hand,
> > > > > implemented an extra logic that, when e_shnum is zero and e_shoff is not
> > > > > zero, will use sh_size member of the initial section header as the real
> > > > > section header count (part of ELF spec to accommodate situation where
> > > > > section header counter is larger than SHN_LORESERVE).
> > > > >
> > > > > The above inconsistency lead to libbpf writing into a zero-entry calloc
> > > > > area. So intead of using e_shnum directly, use the elf_getshdrnum()
> > > > > helper provided by libelf to retrieve the section header counter into
> > > > > sec_cnt.
> > > > >
> > > > > Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
> > > > > Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
> > > > > Fixes: 0d6988e16a12 ("libbpf: Fix section counting logic")
> > > > > Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
> > > > > Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
> > > > > ---
> > > > >
> > > > > To be honest I'm not sure if any of the BPF toolchain will produce such
> > > > > ELF binary. Tools like readelf simply refuse to dump section header
> > > > > table when e_shnum==0 && e_shoff !=0 case is encountered.
> > > > >
> > > > > While we can use same approach as readelf, opting for a coherent view
> > > > > with libelf for now since that should be less confusing.
> > > > >
> > > > > ---
> > > > >  tools/lib/bpf/libbpf.c | 10 ++++++++--
> > > > >  1 file changed, 8 insertions(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > > > > index 184ce1684dcd..a64e13c654f3 100644
> > > > > --- a/tools/lib/bpf/libbpf.c
> > > > > +++ b/tools/lib/bpf/libbpf.c
> > > > > @@ -597,7 +597,7 @@ struct elf_state {
> > > > >         size_t shstrndx; /* section index for section name strings */
> > > > >         size_t strtabidx;
> > > > >         struct elf_sec_desc *secs;
> > > > > -       int sec_cnt;
> > > > > +       size_t sec_cnt;
> > > > >         int btf_maps_shndx;
> > > > >         __u32 btf_maps_sec_btf_id;
> > > > >         int text_shndx;
> > > > > @@ -1369,6 +1369,13 @@ static int bpf_object__elf_init(struct bpf_object *obj)
> > > > >                 goto errout;
> > > > >         }
> > > > >
> > > > > +       if (elf_getshdrnum(obj->efile.elf, &obj->efile.sec_cnt)) {
> > > >
> > > > It bothers me that sec_cnt is initialized in bpf_object__elf_init, but
> > > > secs are allocated a bit later in bpf_object__elf_collect(). What if
> > > > we move elf_getshdrnum() call and sec_cnt initialization into
> > > > bpf_object__elf_collect()?
> > >
> > > Ack.
> > >
> > > My rational for placing it there was that it's closer to other elf_*()
> > > helper calls, but having it close to the allocation where it's used seems
> > > like a better option.
> > >
> > > Will change accordingly and send a v2 based on top of bpf-next.
> > >
> > > > > +               pr_warn("elf: failed to get the number of sections for %s: %s\n",
> > > > > +                       obj->path, elf_errmsg(-1));
> > > > > +               err = -LIBBPF_ERRNO__FORMAT;
> > > > > +               goto errout;
> > > > > +       }
> > > > > +
> > > > >         /* Elf is corrupted/truncated, avoid calling elf_strptr. */
> > > > >         if (!elf_rawdata(elf_getscn(elf, obj->efile.shstrndx), NULL)) {
> > > > >                 pr_warn("elf: failed to get section names strings from %s: %s\n",
> > > > > @@ -3315,7 +3322,6 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
> > > > >          * section. e_shnum does include sec #0, so e_shnum is the necessary
> > > > >          * size of an array to keep all the sections.
> > > > >          */
> > > > > -       obj->efile.sec_cnt = obj->efile.ehdr->e_shnum;
> > > > >         obj->efile.secs = calloc(obj->efile.sec_cnt, sizeof(*obj->efile.secs));
> >
> > Looking again I realized we're still allocation one more section than
> > necessary, even after 0d6988e16a12 ("libbpf: Fix section counting logic").
> 
> Yes, that's by design so to preserve ELF's 1-based indexing and not
> have to constantly adjust section index by -1 to do a lookup. Please
> keep it as is.

Understood, I'll leave it as is. Thanks!

> > elf_nextscn() skips sec #0, so (sec_cnt - 1) * sizeof(secs) should suffice.
> >
> >   /* In elfutils/libelf/elf_nextscn.c */
> >   Elf_Scn *elf_nextscn (Elf *elf, Elf_Scn *scn)
> >   {
> >     ...
> >
> >     if (scn == NULL)
> >       {
> >         /* If no section handle is given return the first (not 0th) section.
> >          Set scn to the 0th section and perform nextscn.  */
> >         if (elf->class == ELFCLASS32
> >            || (offsetof (Elf, state.elf32.scns)
> >                == offsetof (Elf, state.elf64.scns)))
> >         list = &elf->state.elf32.scns;
> >         else
> >         list = &elf->state.elf64.scns;
> >
> >         scn = &list->data[0];
> >       }
> >     ...
> >   }
> >
> > What do you think? If it make sense then I'll place the sec_cnt - 1 change
> > before the current patch unless otherwise suggested.
> >
> > > > >         if (!obj->efile.secs)
> > > > >                 return -ENOMEM;
> > > > > --
> > > > > 2.37.3
> > > > >
diff mbox series

Patch

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 184ce1684dcd..a64e13c654f3 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -597,7 +597,7 @@  struct elf_state {
 	size_t shstrndx; /* section index for section name strings */
 	size_t strtabidx;
 	struct elf_sec_desc *secs;
-	int sec_cnt;
+	size_t sec_cnt;
 	int btf_maps_shndx;
 	__u32 btf_maps_sec_btf_id;
 	int text_shndx;
@@ -1369,6 +1369,13 @@  static int bpf_object__elf_init(struct bpf_object *obj)
 		goto errout;
 	}

+	if (elf_getshdrnum(obj->efile.elf, &obj->efile.sec_cnt)) {
+		pr_warn("elf: failed to get the number of sections for %s: %s\n",
+			obj->path, elf_errmsg(-1));
+		err = -LIBBPF_ERRNO__FORMAT;
+		goto errout;
+	}
+
 	/* Elf is corrupted/truncated, avoid calling elf_strptr. */
 	if (!elf_rawdata(elf_getscn(elf, obj->efile.shstrndx), NULL)) {
 		pr_warn("elf: failed to get section names strings from %s: %s\n",
@@ -3315,7 +3322,6 @@  static int bpf_object__elf_collect(struct bpf_object *obj)
 	 * section. e_shnum does include sec #0, so e_shnum is the necessary
 	 * size of an array to keep all the sections.
 	 */
-	obj->efile.sec_cnt = obj->efile.ehdr->e_shnum;
 	obj->efile.secs = calloc(obj->efile.sec_cnt, sizeof(*obj->efile.secs));
 	if (!obj->efile.secs)
 		return -ENOMEM;