diff mbox series

[bpf,3/3] samples/bpf: syscall_tp_user: Fix array out-of-bound access

Message ID 20230818164643.97782-4-jinghao@linux.ibm.com (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for bpf
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 9 this patch: 9
netdev/cc_maintainers fail 1 blamed authors not CCed: rongtao@cestc.cn; 9 maintainers not CCed: yhs@fb.com kpsingh@kernel.org martin.lau@linux.dev john.fastabend@gmail.com song@kernel.org sdf@google.com rongtao@cestc.cn jolsa@kernel.org haoluo@google.com
netdev/build_clang success Errors and warnings before: 9 this patch: 9
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 9 this patch: 9
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 40 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-VM_Test-29 success Logs for veristat
bpf/vmtest-bpf-VM_Test-9 success Logs for test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-8 success Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-10 success Logs for test_progs on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-11 success Logs for test_progs on s390x with gcc
bpf/vmtest-bpf-VM_Test-12 success Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-13 success Logs for test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-15 success Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-VM_Test-14 success Logs for test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-17 success Logs for test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-16 success Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-18 success Logs for test_progs_no_alu32_parallel on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-19 success Logs for test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-20 success Logs for test_progs_no_alu32_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-21 success Logs for test_progs_parallel on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-22 success Logs for test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-23 success Logs for test_progs_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-24 success Logs for test_verifier on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-25 success Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-VM_Test-27 success Logs for test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-26 success Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-28 success Logs for veristat
bpf/vmtest-bpf-PR fail PR summary
bpf/vmtest-bpf-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-VM_Test-2 success Logs for build for aarch64 with gcc
bpf/vmtest-bpf-VM_Test-3 fail Logs for build for s390x with gcc
bpf/vmtest-bpf-VM_Test-0 success Logs for ${{ matrix.test }} on ${{ matrix.arch }} with ${{ matrix.toolchain_full }}
bpf/vmtest-bpf-VM_Test-4 success Logs for build for x86_64 with gcc
bpf/vmtest-bpf-VM_Test-5 success Logs for build for x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-6 success Logs for set-matrix
bpf/vmtest-bpf-VM_Test-7 success Logs for veristat

Commit Message

Jinghao Jia Aug. 18, 2023, 4:46 p.m. UTC 
Commit 06744f24696e ("samples/bpf: Add openat2() enter/exit tracepoint
to syscall_tp sample") added two more eBPF programs to support the
openat2() syscall. However, it did not increase the size of the array
that holds the corresponding bpf_links. This leads to an out-of-bound
access on that array in the bpf_object__for_each_program loop and could
corrupt other variables on the stack. On our testing QEMU, it corrupts
the map1_fds array and causes the sample to fail:

  # ./syscall_tp
  prog #0: map ids 4 5
  verify map:4 val: 5
  map_lookup failed: Bad file descriptor

Dynamically allocate the array based on the number of programs reported
by libbpf to prevent similar inconsistencies in the future

Fixes: 06744f24696e ("samples/bpf: Add openat2() enter/exit tracepoint to syscall_tp sample")
Signed-off-by: Jinghao Jia <jinghao@linux.ibm.com>
---
 samples/bpf/syscall_tp_user.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

Comments

Daniel Borkmann Aug. 25, 2023, 2:57 p.m. UTC | #1 
On 8/18/23 6:46 PM, Jinghao Jia wrote:
> Commit 06744f24696e ("samples/bpf: Add openat2() enter/exit tracepoint
> to syscall_tp sample") added two more eBPF programs to support the
> openat2() syscall. However, it did not increase the size of the array
> that holds the corresponding bpf_links. This leads to an out-of-bound
> access on that array in the bpf_object__for_each_program loop and could
> corrupt other variables on the stack. On our testing QEMU, it corrupts
> the map1_fds array and causes the sample to fail:
> 
>    # ./syscall_tp
>    prog #0: map ids 4 5
>    verify map:4 val: 5
>    map_lookup failed: Bad file descriptor
> 
> Dynamically allocate the array based on the number of programs reported
> by libbpf to prevent similar inconsistencies in the future
> 
> Fixes: 06744f24696e ("samples/bpf: Add openat2() enter/exit tracepoint to syscall_tp sample")
> Signed-off-by: Jinghao Jia <jinghao@linux.ibm.com>
> ---
>   samples/bpf/syscall_tp_user.c | 22 +++++++++++++++++++---
>   1 file changed, 19 insertions(+), 3 deletions(-)
> 
> diff --git a/samples/bpf/syscall_tp_user.c b/samples/bpf/syscall_tp_user.c
> index 18c94c7e8a40..8855d2c1290d 100644
> --- a/samples/bpf/syscall_tp_user.c
> +++ b/samples/bpf/syscall_tp_user.c
> @@ -48,7 +48,7 @@ static void verify_map(int map_id)
>   static int test(char *filename, int nr_tests)
>   {
>   	int map0_fds[nr_tests], map1_fds[nr_tests], fd, i, j = 0;
> -	struct bpf_link *links[nr_tests * 4];
> +	struct bpf_link **links = NULL;
>   	struct bpf_object *objs[nr_tests];
>   	struct bpf_program *prog;
>   
> @@ -60,6 +60,17 @@ static int test(char *filename, int nr_tests)
>   			goto cleanup;
>   		}
>   
> +		/* One-time initialization */
> +		if (!links) {
> +			int nr_progs = 0;
> +
> +			bpf_object__for_each_program(prog, objs[i])
> +				nr_progs += 1;
> +
> +			links = calloc(nr_progs * nr_tests,
> +				       sizeof(struct bpf_link *));

NULL check is missing

> +		}
> +
>   		/* load BPF program */
>   		if (bpf_object__load(objs[i])) {
>   			fprintf(stderr, "loading BPF object file failed\n");
> @@ -107,8 +118,13 @@ static int test(char *filename, int nr_tests)
>   	}
>   
>   cleanup:
> -	for (j--; j >= 0; j--)
> -		bpf_link__destroy(links[j]);
> +	if (links) {
> +		for (j--; j >= 0; j--)
> +			bpf_link__destroy(links[j]);
> +
> +		free(links);
> +		links = NULL;

why is this explicit links = NULL needed?

> +	}
>   
>   	for (i--; i >= 0; i--)
>   		bpf_object__close(objs[i]);
>
Jinghao Jia Aug. 28, 2023, 9:28 p.m. UTC | #2 
On 8/25/23 09:57, Daniel Borkmann wrote:
> On 8/18/23 6:46 PM, Jinghao Jia wrote:
>> Commit 06744f24696e ("samples/bpf: Add openat2() enter/exit tracepoint
>> to syscall_tp sample") added two more eBPF programs to support the
>> openat2() syscall. However, it did not increase the size of the array
>> that holds the corresponding bpf_links. This leads to an out-of-bound
>> access on that array in the bpf_object__for_each_program loop and could
>> corrupt other variables on the stack. On our testing QEMU, it corrupts
>> the map1_fds array and causes the sample to fail:
>>
>>    # ./syscall_tp
>>    prog #0: map ids 4 5
>>    verify map:4 val: 5
>>    map_lookup failed: Bad file descriptor
>>
>> Dynamically allocate the array based on the number of programs reported
>> by libbpf to prevent similar inconsistencies in the future
>>
>> Fixes: 06744f24696e ("samples/bpf: Add openat2() enter/exit tracepoint to syscall_tp sample")
>> Signed-off-by: Jinghao Jia <jinghao@linux.ibm.com>
>> ---
>>   samples/bpf/syscall_tp_user.c | 22 +++++++++++++++++++---
>>   1 file changed, 19 insertions(+), 3 deletions(-)
>>
>> diff --git a/samples/bpf/syscall_tp_user.c b/samples/bpf/syscall_tp_user.c
>> index 18c94c7e8a40..8855d2c1290d 100644
>> --- a/samples/bpf/syscall_tp_user.c
>> +++ b/samples/bpf/syscall_tp_user.c
>> @@ -48,7 +48,7 @@ static void verify_map(int map_id)
>>   static int test(char *filename, int nr_tests)
>>   {
>>       int map0_fds[nr_tests], map1_fds[nr_tests], fd, i, j = 0;
>> -    struct bpf_link *links[nr_tests * 4];
>> +    struct bpf_link **links = NULL;
>>       struct bpf_object *objs[nr_tests];
>>       struct bpf_program *prog;
>>   @@ -60,6 +60,17 @@ static int test(char *filename, int nr_tests)
>>               goto cleanup;
>>           }
>>   +        /* One-time initialization */
>> +        if (!links) {
>> +            int nr_progs = 0;
>> +
>> +            bpf_object__for_each_program(prog, objs[i])
>> +                nr_progs += 1;
>> +
>> +            links = calloc(nr_progs * nr_tests,
>> +                       sizeof(struct bpf_link *));
>
> NULL check is missing

Oh, apparently I missed that, will fix in v2.


>
>> +        }
>> +
>>           /* load BPF program */
>>           if (bpf_object__load(objs[i])) {
>>               fprintf(stderr, "loading BPF object file failed\n");
>> @@ -107,8 +118,13 @@ static int test(char *filename, int nr_tests)
>>       }
>>     cleanup:
>> -    for (j--; j >= 0; j--)
>> -        bpf_link__destroy(links[j]);
>> +    if (links) {
>> +        for (j--; j >= 0; j--)
>> +            bpf_link__destroy(links[j]);
>> +
>> +        free(links);
>> +        links = NULL;
>
> why is this explicit links = NULL needed?

Yeah I agree this is redundant, since links is not used later.


>
>> +    }
>>         for (i--; i >= 0; i--)
>>           bpf_object__close(objs[i]);
>>
>
>
>

I wonder if there are further comments before I roll out a v2?

--Jinghao
diff mbox series

Patch

diff --git a/samples/bpf/syscall_tp_user.c b/samples/bpf/syscall_tp_user.c
index 18c94c7e8a40..8855d2c1290d 100644
--- a/samples/bpf/syscall_tp_user.c
+++ b/samples/bpf/syscall_tp_user.c
@@ -48,7 +48,7 @@  static void verify_map(int map_id)
 static int test(char *filename, int nr_tests)
 {
 	int map0_fds[nr_tests], map1_fds[nr_tests], fd, i, j = 0;
-	struct bpf_link *links[nr_tests * 4];
+	struct bpf_link **links = NULL;
 	struct bpf_object *objs[nr_tests];
 	struct bpf_program *prog;
 
@@ -60,6 +60,17 @@  static int test(char *filename, int nr_tests)
 			goto cleanup;
 		}
 
+		/* One-time initialization */
+		if (!links) {
+			int nr_progs = 0;
+
+			bpf_object__for_each_program(prog, objs[i])
+				nr_progs += 1;
+
+			links = calloc(nr_progs * nr_tests,
+				       sizeof(struct bpf_link *));
+		}
+
 		/* load BPF program */
 		if (bpf_object__load(objs[i])) {
 			fprintf(stderr, "loading BPF object file failed\n");
@@ -107,8 +118,13 @@  static int test(char *filename, int nr_tests)
 	}
 
 cleanup:
-	for (j--; j >= 0; j--)
-		bpf_link__destroy(links[j]);
+	if (links) {
+		for (j--; j >= 0; j--)
+			bpf_link__destroy(links[j]);
+
+		free(links);
+		links = NULL;
+	}
 
 	for (i--; i >= 0; i--)
 		bpf_object__close(objs[i]);