From: Jinghao Jia <jinghao@linux.ibm.com>
To: bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
Jinghao Jia <jinghao@linux.ibm.com>
Subject: [PATCH bpf 0/3] samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug
Date: Fri, 18 Aug 2023 12:46:40 -0400 [thread overview]
Message-ID: <20230818164643.97782-1-jinghao@linux.ibm.com> (raw)
There are currently 6 BPF programs in syscall_tp_kern but the array to
hold the corresponding bpf_links in syscall_tp_user only has space for 4
programs, given the array size is hardcoded. This causes the sample
program to fail due to an out-of-bound access that corrupts other stack
variables:
# ./syscall_tp
prog #0: map ids 4 5
verify map:4 val: 5
map_lookup failed: Bad file descriptor
This patch series aims to solve this issue for now and for the future.
It first adds the -fsanitize=bounds flag to make similar bugs more
obvious at runtime. It then refactors syscall_tp_user to retrieve the
number of programs from the bpf_object and dynamically allocate the
array of bpf_links to avoid inconsistencies from hardcoding.
Jinghao Jia (3):
samples/bpf: Add -fsanitize=bounds to userspace programs
samples/bpf: syscall_tp_user: Rename num_progs into nr_tests
samples/bpf: syscall_tp_user: Fix array out-of-bound access
samples/bpf/Makefile | 1 +
samples/bpf/syscall_tp_user.c | 44 ++++++++++++++++++++++++-----------
2 files changed, 31 insertions(+), 14 deletions(-)
--
2.41.0
next reply other threads:[~2023-08-18 16:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-18 16:46 Jinghao Jia [this message]
2023-08-18 16:46 ` [PATCH bpf 1/3] samples/bpf: Add -fsanitize=bounds to userspace programs Jinghao Jia
2023-08-18 16:46 ` [PATCH bpf 2/3] samples/bpf: syscall_tp_user: Rename num_progs into nr_tests Jinghao Jia
2023-08-18 16:46 ` [PATCH bpf 3/3] samples/bpf: syscall_tp_user: Fix array out-of-bound access Jinghao Jia
2023-08-25 14:57 ` Daniel Borkmann
2023-08-28 21:28 ` Jinghao Jia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230818164643.97782-1-jinghao@linux.ibm.com \
--to=jinghao@linux.ibm.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.