[PATCH bpf] bpf: Refactoring btf_name_valid_identifier() and btf_name_valid_section()

[PATCH bpf] bpf: Refactoring btf_name_valid_identifier() and btf_name_valid_section()

[Jeongjun Park]

Currently, btf_name_valid_identifier() and btf_name_valid_section() are
written in a while loop and use pointer operations, so it takes a long
time to understand the operation of the code. Therefore, I suggest
refactoring the code to make it easier to maintain.

In addition, btf_name_valid_section() does not check for the case where
src[0] is a NULL value, resulting in an out-of-bounds vuln. Therefore, a
check for this should be added.

Reported-by: Jeongjun Park <aha310510@gmail.com>
Fixes: bd70a8fb7ca4 ("bpf: Allow all printable characters in BTF DATASEC names")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 kernel/bpf/btf.c | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 674b38c33c74..c1e2aead9141 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -794,21 +794,18 @@ static bool btf_name_valid_identifier(const struct btf *btf, u32 offset)
 {
 	/* offset must be valid */
 	const char *src = btf_str_by_offset(btf, offset);
-	const char *src_limit;
+	int i;
 
-	if (!__btf_name_char_ok(*src, true))
+	if (!__btf_name_char_ok(src[0], true))
 		return false;
 
 	/* set a limit on identifier length */
-	src_limit = src + KSYM_NAME_LEN;
-	src++;
-	while (*src && src < src_limit) {
-		if (!__btf_name_char_ok(*src, false))
+	for (i = 1; i < KSYM_NAME_LEN && src[i]; i++) {
+		if (!__btf_name_char_ok(src[i], false))
 			return false;
-		src++;
 	}
 
-	return !*src;
+	return !src[i];
 }
 
 /* Allow any printable character in DATASEC names */
@@ -816,18 +813,18 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
 {
 	/* offset must be valid */
 	const char *src = btf_str_by_offset(btf, offset);
-	const char *src_limit;
+	int i;
+
+	if (!src[0])
+		return false;
 
 	/* set a limit on identifier length */
-	src_limit = src + KSYM_NAME_LEN;
-	src++;
-	while (*src && src < src_limit) {
-		if (!isprint(*src))
+	for (i = 1; i < KSYM_NAME_LEN && src[i]; i++) {
+		if (!isprint(src[i]))
 			return false;
-		src++;
 	}
 
-	return !*src;
+	return !src[i];
 }
 
 static const char *__btf_name_by_offset(const struct btf *btf, u32 offset)
--

Re: [PATCH bpf] bpf: Refactoring btf_name_valid_identifier() and btf_name_valid_section()

[Alexei Starovoitov]

On Mon, Aug 19, 2024 at 9:08 AM Jeongjun Park <aha310510@gmail.com> wrote:
>
> Currently, btf_name_valid_identifier() and btf_name_valid_section() are
> written in a while loop and use pointer operations, so it takes a long
> time to understand the operation of the code. Therefore, I suggest
> refactoring the code to make it easier to maintain.

imo it's harder to read after refactoring. Pls avoid.

> In addition, btf_name_valid_section() does not check for the case where
> src[0] is a NULL value, resulting in an out-of-bounds vuln. Therefore, a
> check for this should be added.

Hmm. Not sure about it. Pls add a selftest that demonstrates the issue
and produce a patch to fix just that.
Do not mix it with questionable refactoring.

pw-bot: cr