From patchwork Tue Mar 28 00:47:37 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eduard Zingerman <eddyz87@gmail.com>
X-Patchwork-Id: 13190273
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DBE14C76195
	for <bpf@archiver.kernel.org>; Tue, 28 Mar 2023 00:47:57 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229646AbjC1Ar4 (ORCPT <rfc822;bpf@archiver.kernel.org>);
        Mon, 27 Mar 2023 20:47:56 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43002 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229844AbjC1Ary (ORCPT <rfc822;bpf@vger.kernel.org>);
        Mon, 27 Mar 2023 20:47:54 -0400
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com
 [IPv6:2a00:1450:4864:20::535])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4393026B1
        for <bpf@vger.kernel.org>; Mon, 27 Mar 2023 17:47:53 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id t10so43082226edd.12
        for <bpf@vger.kernel.org>; Mon, 27 Mar 2023 17:47:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112; t=1679964471;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=my0hiBoNMLwVoTp1nluKD0IpMhbNtEuPQTHsBc+Ymfk=;
        b=K4x8d6Pd5rcTgvNlr8nbEx/7imE1hwgn5qC5BfkTrtfwZFQwymngWGbaBkxgtM8Lht
         biJSkDhZDZFt4o8d4tMFH1TiuEZSA7mE4P8MMC9uVOnV/uu6XS4Fwy+PTQ0Y44eVwJLn
         IVEdzZSyjYxJpGyx0B8Okub/nYcx1bWn9eaF84nvm5JpJJ7Fps+Wemmf3UcoDnlZzVni
         IgJcyP0PXYxh707+glk5TOWrkfN3vdNvppJgOIQmEzFsLx/r+A/Oun4EogQhW8B9ZmQd
         tlNTso/tde8ohDl3dpeYJK31XTXsZxpYzm2+GQkGBb/IHJ1Ziwtvl68XrxxDNgvtnEvl
         oZfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1679964471;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=my0hiBoNMLwVoTp1nluKD0IpMhbNtEuPQTHsBc+Ymfk=;
        b=D93VP5ufM/Urz9tpXoiauOgJh5q5cZuL08I59jaquAKO5PgyT3oqMRnkHhShiStTGI
         ZaGo+3wQh5ybTOBaLuWbd0lzh/g50PAJ+H3F4w9WAUdzOVKvlol19pbvqJTGy9JMBZbE
         uI3fSULjCrp21k8aTIcyO3eihHKm0MjrBihmGeJ5PH+Watq9AYELrtESUwiU5lpHxIxs
         1k+KznG14h+q81K66fLA7J85WoM0TJr0CoDY3+G1jHYs9e4LBy6YKbfNk6b3X4GlnCZa
         oBUMaWDJzOfguSWd+6LdTqkuJemyxUhF2qWx6CGCW1pp4zZ4/wKyEM7u7SXnRG2q6Ox+
         7wsw==
X-Gm-Message-State: AAQBX9fZM2g3e159+JtjWCwLeCmqnltpppE7ktB0QTt+zV7xkqZbSUi+
        UV/QoG4XNIvJYUn3ZqnMD5nAICxtULRkQw==
X-Google-Smtp-Source: 
 AKy350bvwh9juhop2UxspLR4jDpmJiT1vdffC3Ct/y8SoKpLolMJU8Geub38UOVwpV5be3wk/vroIg==
X-Received: by 2002:a17:907:6e04:b0:930:3916:df17 with SMTP id
 sd4-20020a1709076e0400b009303916df17mr19732777ejc.0.1679964471303;
        Mon, 27 Mar 2023 17:47:51 -0700 (PDT)
Received: from bigfoot.. (host-176-36-0-241.b024.la.net.ua. [176.36.0.241])
        by smtp.gmail.com with ESMTPSA id
 xc1-20020a170907074100b0093de5b42856sm5560175ejb.119.2023.03.27.17.47.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 27 Mar 2023 17:47:50 -0700 (PDT)
From: Eduard Zingerman <eddyz87@gmail.com>
To: bpf@vger.kernel.org, ast@kernel.org
Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
        kernel-team@fb.com, yhs@fb.com, james.hilliard1@gmail.com,
        Eduard Zingerman <eddyz87@gmail.com>
Subject: [PATCH bpf-next 1/2] selftests/bpf: Test if bpftool linker handles
 empty sections
Date: Tue, 28 Mar 2023 03:47:37 +0300
Message-Id: <20230328004738.381898-2-eddyz87@gmail.com>
X-Mailer: git-send-email 2.40.0
In-Reply-To: <20230328004738.381898-1-eddyz87@gmail.com>
References: <20230328004738.381898-1-eddyz87@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org
X-Patchwork-Delegate: bpf@iogearbox.net

Adds two empty functions to linked_funcs[12].c. The functions are
annotated as "naked" and go to a separate section. This section ends
up having size 0. bpftool linker merges content for sections with
identical names. This tests if it can handle empty sections.

Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
---
 tools/testing/selftests/bpf/progs/linked_funcs1.c | 3 +++
 tools/testing/selftests/bpf/progs/linked_funcs2.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/linked_funcs1.c b/tools/testing/selftests/bpf/progs/linked_funcs1.c
index c4b49ceea967..029bb5022ba2 100644
--- a/tools/testing/selftests/bpf/progs/linked_funcs1.c
+++ b/tools/testing/selftests/bpf/progs/linked_funcs1.c
@@ -86,4 +86,7 @@ int BPF_PROG(handler1, struct pt_regs *regs, long id)
 	return 0;
 }
 
+SEC(".empty_section")
+__naked void empty_function1(void) {}
+
 char LICENSE[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/progs/linked_funcs2.c b/tools/testing/selftests/bpf/progs/linked_funcs2.c
index 013ff0645f0c..4547c8dfc689 100644
--- a/tools/testing/selftests/bpf/progs/linked_funcs2.c
+++ b/tools/testing/selftests/bpf/progs/linked_funcs2.c
@@ -86,4 +86,7 @@ int BPF_PROG(handler2, struct pt_regs *regs, long id)
 	return 0;
 }
 
+SEC(".empty_section")
+__naked void empty_function2(void) {}
+
 char LICENSE[] SEC("license") = "GPL";

From patchwork Tue Mar 28 00:47:38 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eduard Zingerman <eddyz87@gmail.com>
X-Patchwork-Id: 13190274
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E5C6BC76195
	for <bpf@archiver.kernel.org>; Tue, 28 Mar 2023 00:48:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229471AbjC1Ar7 (ORCPT <rfc822;bpf@archiver.kernel.org>);
        Mon, 27 Mar 2023 20:47:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43122 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229622AbjC1Ar4 (ORCPT <rfc822;bpf@vger.kernel.org>);
        Mon, 27 Mar 2023 20:47:56 -0400
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com
 [IPv6:2a00:1450:4864:20::532])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D3C7271E
        for <bpf@vger.kernel.org>; Mon, 27 Mar 2023 17:47:54 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id x3so43115092edb.10
        for <bpf@vger.kernel.org>; Mon, 27 Mar 2023 17:47:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112; t=1679964473;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=90sq28Z4LK2wnYlGuleCTSP3THsDEaCXMhiSBkKJtHo=;
        b=AWvyPsalWdauNe32R8iqzddH+I206mzUOEbcHmiBe7g74XrUIT8vpLZ+qD+csYHxv5
         deWRlx72kAi0hiU+YQbZb23z6WGH8J46qsrP5IRc7r5GVqQxGUYxDaoSgCuNkHJOQ4kH
         ndryMEdin5NMZwZatXYMku5qUllHaNdrFWX1umXO+GVybgj62OdpAn4j36Fz9Vl4ssi4
         MeGu9Aat5hj8PcB5nE0l2nDp8ByQ8A1ASD91e3JTuRgF0KpzyDwPxEQkUFiF+oLOvycE
         5pxE82V6t8MAyN9CFus2GZn8efZbHWvJz9Xy4Bfl/LDn0Q9HDqJeq5FGupU0vgAI01Cp
         W82g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1679964473;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=90sq28Z4LK2wnYlGuleCTSP3THsDEaCXMhiSBkKJtHo=;
        b=MpX+OgGj5iAvTfZCOuZougrSUpXhqwiB84M7RMjHFdqtpjkE7WmLVQHBHx5oa64fgH
         8XBFROX3je7TRoOhBpMm/JNrqMTAU54h4aqSB22tkK++jnkS86rire4kv4MgdHR/XjXA
         fcFhbKxEHw2cSHBXXRlAuQkPmuiMEzVBA8MnCnPXVHmOFBhhtobipLbP74bVx/Pk/U+b
         0lCiTURiwOtoGvYQxo1MWyyWtJe15qSin/cg32m2jX6m+IsizqhaA1MCnuKJY9AEsCYv
         YfVCpHVCIqK/sWznZAy75G/EPR6Isx6jEV4FbWDfi8SWbadI0I1ImHFaWBbzph6eRQN5
         pwGw==
X-Gm-Message-State: AAQBX9cNoePCWvf/8WdYHKBPLwatTXIYjND04nCGKn/yzoMI80dI19tD
        srFoCcmwVmZwkgCOsy6t91LnSF7F5FA09Q==
X-Google-Smtp-Source: 
 AKy350bPI1tdRGNLvxEIYN/gR0DhzjeqZRELwLSwGTv3p8Bylsq6OPRV9WP9fikgSTQ0e3tZ6UzOvg==
X-Received: by 2002:a17:906:3f8e:b0:939:ad91:adf5 with SMTP id
 b14-20020a1709063f8e00b00939ad91adf5mr15519501ejj.25.1679964472755;
        Mon, 27 Mar 2023 17:47:52 -0700 (PDT)
Received: from bigfoot.. (host-176-36-0-241.b024.la.net.ua. [176.36.0.241])
        by smtp.gmail.com with ESMTPSA id
 xc1-20020a170907074100b0093de5b42856sm5560175ejb.119.2023.03.27.17.47.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 27 Mar 2023 17:47:52 -0700 (PDT)
From: Eduard Zingerman <eddyz87@gmail.com>
To: bpf@vger.kernel.org, ast@kernel.org
Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
        kernel-team@fb.com, yhs@fb.com, james.hilliard1@gmail.com,
        Eduard Zingerman <eddyz87@gmail.com>
Subject: [PATCH bpf-next 2/2] libbpf: Fix double-free when linker processes
 empty sections
Date: Tue, 28 Mar 2023 03:47:38 +0300
Message-Id: <20230328004738.381898-3-eddyz87@gmail.com>
X-Mailer: git-send-email 2.40.0
In-Reply-To: <20230328004738.381898-1-eddyz87@gmail.com>
References: <20230328004738.381898-1-eddyz87@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org
X-Patchwork-Delegate: bpf@iogearbox.net

Double-free error in bpf_linker__free() was reported by James Hilliard.
The error is caused by miss-use of realloc() in extend_sec().
The error occurs when two files with empty sections of the same name
are linked:
- when first file is processed:
  - extend_sec() calls realloc(dst->raw_data, dst_align_sz)
    with dst->raw_data == NULL and dst_align_sz == 0;
  - dst->raw_data is set to a special pointer to a memory block of
    size zero;
- when second file is processed:
  - extend_sec() calls realloc(dst->raw_data, dst_align_sz)
    with dst->raw_data == <special pointer> and dst_align_sz == 0;
  - realloc() "frees" dst->raw_data special pointer and returns NULL;
  - extend_sec() exits with -ENOMEM, and the old dst->raw_data value
    is preserved (it is now invalid);
  - eventually, bpf_linker__free() attempts to free dst->raw_data again.

This patch fixes the bug by avoiding -ENOMEM exit for dst_align_sz == 0.
The fix was suggested by Andrii Nakryiko <andrii.nakryiko@gmail.com>.

Reported-by: James Hilliard <james.hilliard1@gmail.com>
Link: https://lore.kernel.org/bpf/CADvTj4o7ZWUikKwNTwFq0O_AaX+46t_+Ca9gvWMYdWdRtTGeHQ@mail.gmail.com/
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Tested-by: James Hilliard <james.hilliard1@gmail.com>
---
 tools/lib/bpf/linker.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
index d7069780984a..5ced96d99f8c 100644
--- a/tools/lib/bpf/linker.c
+++ b/tools/lib/bpf/linker.c
@@ -1115,7 +1115,19 @@ static int extend_sec(struct bpf_linker *linker, struct dst_sec *dst, struct src
 
 	if (src->shdr->sh_type != SHT_NOBITS) {
 		tmp = realloc(dst->raw_data, dst_final_sz);
-		if (!tmp)
+		/* If dst_align_sz == 0, realloc() behaves in a special way:
+		 * 1. When dst->raw_data is NULL it returns:
+		 *    "either NULL or a pointer suitable to be passed to free()" [1].
+		 * 2. When dst->raw_data is not-NULL it frees dst->raw_data and returns NULL,
+		 *    thus invalidating any "pointer suitable to be passed to free()" obtained
+		 *    at step (1).
+		 *
+		 * The dst_align_sz > 0 check avoids error exit after (2), otherwise
+		 * dst->raw_data would be freed again in bpf_linker__free().
+		 *
+		 * [1] man 3 realloc
+		 */
+		if (!tmp && dst_align_sz > 0)
 			return -ENOMEM;
 		dst->raw_data = tmp;