Re: [PATCH bpf-next] libbpf: Fix null pointer check in btf__add_str

All of lore.kernel.org
 help / color / mirror / Atom feed

From: John Fastabend <john.fastabend@gmail.com>
To: Daniel Borkmann <daniel@iogearbox.net>,
	 Wentao Zhang <wentao.zhang@windriver.com>,
	 ast@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next] libbpf: Fix null pointer check in btf__add_str
Date: Thu, 14 Dec 2023 11:34:16 -0800	[thread overview]
Message-ID: <657b58b8685ad_516b4208f1@john.notmuch> (raw)
In-Reply-To: <ca122e6f-19dc-d319-54f8-75e1dfa988c3@iogearbox.net>

Daniel Borkmann wrote:
> On 12/14/23 8:50 AM, Wentao Zhang wrote:
> > The function btf_str_by_offset may return NULL when used as an
> > input argument for btf_add_str in the context of btf_rewrite_str.
> > The added check ensures that both the input string (s) and the
> > BTF object (btf) are non-null before proceeding with the function
> > logic. If either is null, the function returns an error code
> > indicating an invalid argument.
> > 
> > Found by our static analysis tool.
> > 
> > Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
> > ---
> >   tools/lib/bpf/btf.c | 2 ++
> >   1 file changed, 2 insertions(+)
> > 
> > diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
> > index fd2309512978..a6a00bdc7151 100644
> > --- a/tools/lib/bpf/btf.c
> > +++ b/tools/lib/bpf/btf.c
> > @@ -1612,6 +1612,8 @@ int btf__find_str(struct btf *btf, const char *s)
> >   int btf__add_str(struct btf *btf, const char *s)
> >   {
> >   	int off;
> 
> (nit: empty line after declaration)
> 
> > +	if(!s || !btf)
> > +		return libbpf_err(-EINVAL);
> >   
> >   	if (btf->base_btf) {
> >   		off = btf__find_str(btf->base_btf, s);
> > 
> 
> If feels a bit off that in this library helper function we'd validate the inputs
> but not in others. Alternative could be :
> 
> diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
> index 63033c334320..18574fc017d9 100644
> --- a/tools/lib/bpf/btf.c
> +++ b/tools/lib/bpf/btf.c
> @@ -1735,6 +1735,7 @@ static int btf_rewrite_str(__u32 *str_off, void *ctx)
>   {
>   	struct btf_pipe *p = ctx;
>   	long mapped_off;
> +	const char *s;
>   	int off, err;
> 
>   	if (!*str_off) /* nothing to do for empty strings */
> @@ -1746,7 +1747,11 @@ static int btf_rewrite_str(__u32 *str_off, void *ctx)
>   		return 0;
>   	}
> 
> -	off = btf__add_str(p->dst, btf__str_by_offset(p->src, *str_off));
> +	s = btf__str_by_offset(p->src, *str_off);
> +	if (!s)
> +		return -EINVAL;
> +
> +	off = btf__add_str(p->dst, s);
>   	if (off < 0)
>   		return off;
> 
> 

Agreed its a odd way to check input. Also I found a few cases where even if
you did check it in btf__find_str it also deref'd a few lines down in the
main code. I think the assumption throughout is that btf is !null. Or if  it
is null we abort much earlier in the code. Didn't study too thoroughly though
so perhaps I missed some cases. One in the below diff for example would be
nice I think.

Could likely get a more meaningful error up to user as well by failing early.

diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
index 63033c334320..5e70dcecab27 100644
--- a/tools/lib/bpf/btf.c
+++ b/tools/lib/bpf/btf.c
@@ -3470,6 +3470,9 @@ static int strs_dedup_remap_str_off(__u32 *str_off_ptr, void *ctx)
                return 0;
 
        s = btf__str_by_offset(d->btf, str_off);
+       if (s < 0)
+               return s;
+
        if (d->btf->base_btf) {
                err = btf__find_str(d->btf->base_btf, s);
                if (err >= 0) {

next prev parent reply	other threads:[~2023-12-14 19:34 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-14  7:50 [PATCH bpf-next] libbpf: Fix null pointer check in btf__add_str Wentao Zhang
2023-12-14 15:34 ` Daniel Borkmann
2023-12-14 19:34   ` John Fastabend [this message]
2023-12-14 23:36 ` Andrii Nakryiko

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:63033c33432 dfblob:5e70dcecab2 )
 OR (
bs:"Re: [PATCH bpf-next] libbpf: Fix null pointer check in btf__add_str" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=657b58b8685ad_516b4208f1@john.notmuch \
    --to=john.fastabend@gmail.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=wentao.zhang@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.