From: Jinghao Jia <jinghao@linux.ibm.com>
To: bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
Jinghao Jia <jinghao@linux.ibm.com>
Subject: [PATCH bpf 0/3] samples/bpf: syscall_tp_user: Refactor and fix array index out-of-bounds bug
Date: Fri, 18 Aug 2023 12:46:40 -0400 [thread overview]
Message-ID: <20230818164643.97782-1-jinghao@linux.ibm.com> (raw)
There are currently 6 BPF programs in syscall_tp_kern but the array to
hold the corresponding bpf_links in syscall_tp_user only has space for 4
programs, given the array size is hardcoded. This causes the sample
program to fail due to an out-of-bound access that corrupts other stack
variables:
# ./syscall_tp
prog #0: map ids 4 5
verify map:4 val: 5
map_lookup failed: Bad file descriptor
This patch series aims to solve this issue for now and for the future.
It first adds the -fsanitize=bounds flag to make similar bugs more
obvious at runtime. It then refactors syscall_tp_user to retrieve the
number of programs from the bpf_object and dynamically allocate the
array of bpf_links to avoid inconsistencies from hardcoding.
Jinghao Jia (3):
samples/bpf: Add -fsanitize=bounds to userspace programs
samples/bpf: syscall_tp_user: Rename num_progs into nr_tests
samples/bpf: syscall_tp_user: Fix array out-of-bound access
samples/bpf/Makefile | 1 +
samples/bpf/syscall_tp_user.c | 44 ++++++++++++++++++++++++-----------
2 files changed, 31 insertions(+), 14 deletions(-)
--
2.41.0
next reply other threads:[~2023-08-18 16:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-18 16:46 Jinghao Jia [this message]
2023-08-18 16:46 ` [PATCH bpf 1/3] samples/bpf: Add -fsanitize=bounds to userspace programs Jinghao Jia
2023-08-18 16:46 ` [PATCH bpf 2/3] samples/bpf: syscall_tp_user: Rename num_progs into nr_tests Jinghao Jia
2023-08-18 16:46 ` [PATCH bpf 3/3] samples/bpf: syscall_tp_user: Fix array out-of-bound access Jinghao Jia
2023-08-25 14:57 ` Daniel Borkmann
2023-08-28 21:28 ` Jinghao Jia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230818164643.97782-1-jinghao@linux.ibm.com \
--to=jinghao@linux.ibm.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox