Re: [PATCH bpf-next 2/3] libbpf: Skip hash computation when loader generation failed

BPF List
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Daniel Borkmann" <daniel@iogearbox.net>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next 2/3] libbpf: Skip hash computation when loader generation failed
Date: Fri, 29 May 2026 10:21:31 +0000	[thread overview]
Message-ID: <20260529102131.B66FC1F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260529094119.307264-2-daniel@iogearbox.net>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Critical] Unchecked `add_data()` failures lead to NULL pointer dereferences or heap buffer overflows in `bpf_gen__prog_load()` and `info_blob_bswap()` during endianness swapping.
--

commit 586ab83145acd4d3b6d7223bb61c05d593fe3860
Author: Daniel Borkmann <daniel@iogearbox.net>

libbpf: Skip hash computation when loader generation failed

This patch fixes a bug in bpf_gen__finish() where compute_sha_update_offsets()
was called on failed loader generation. It moves the hash computation inside
the !gen->error block to avoid running libbpf_sha256() over NULL buffers.

> diff --git a/tools/lib/bpf/gen_loader.c b/tools/lib/bpf/gen_loader.c
> index 7b95ced7bcbaf..3a6e1d53f287a 100644
> --- a/tools/lib/bpf/gen_loader.c
> +++ b/tools/lib/bpf/gen_loader.c
> @@ -397,13 +397,12 @@ int bpf_gen__finish(struct bpf_gen *gen, int nr_progs, int nr_maps)
>  			      blob_fd_array_off(gen, i));
>  	emit(gen, BPF_MOV64_IMM(BPF_REG_0, 0));
>  	emit(gen, BPF_EXIT_INSN());
> -	if (OPTS_GET(gen->opts, gen_hash, false))
> -		compute_sha_update_offsets(gen);
> -
> -	pr_debug("gen: finish %s\n", errstr(gen->error));
>  	if (!gen->error) {
>  		struct gen_loader_opts *opts = gen->opts;
>  
> +		if (OPTS_GET(opts, gen_hash, false))
> +			compute_sha_update_offsets(gen);
> +
>  		opts->insns = gen->insn_start;

[Severity: Critical]
This isn't a regression introduced by this patch, but while reviewing this
file I noticed a pre-existing issue with how generation errors are handled in
bpf_gen__prog_load() and info_blob_bswap().

If realloc_data_buf() fails inside add_data(), it frees gen->data_start,
sets it to NULL, sets gen->error, and add_data() returns 0.

However, bpf_gen__prog_load() doesn't check gen->error before swapping
endianness:

tools/lib/bpf/gen_loader.c:bpf_gen__prog_load() {
    ...
    insns_off = add_data(gen, insns, insn_cnt * sizeof(struct bpf_insn));
    ...
    if (gen->swapped_endian) {
        struct bpf_insn *insn = gen->data_start + insns_off;
        int i;

        for (i = 0; i < insn_cnt; i++, insn++)
            bpf_insn_bswap(insn);
    }
    ...
}

If add_data() failed, this evaluates to insn = NULL + 0. Can this cause a
NULL pointer dereference when accessing insn inside bpf_insn_bswap()?

Furthermore, if gen->error was previously set (e.g., from a failed
realloc_insn_buf) while gen->data_start is non-NULL, add_data() still returns
0. 

Since the loop evaluates insn = gen->data_start + 0, can this overwrite the
beginning of gen->data_start and write past the end of the buffer if it is
smaller than insn_cnt * sizeof(struct bpf_insn)?

Could we add a check for gen->error before proceeding with the endianness
swapping?

>  		opts->insns_sz = gen->insn_cur - gen->insn_start;
>  		opts->data = gen->data_start;
> @@ -418,6 +417,7 @@ int bpf_gen__finish(struct bpf_gen *gen, int nr_progs, int nr_maps)
>  				bpf_insn_bswap(insn++);
>  		}
>  	}
> +	pr_debug("gen: finish %s\n", errstr(gen->error));
>  	return gen->error;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260529094119.307264-1-daniel@iogearbox.net?part=2

next prev parent reply	other threads:[~2026-05-29 10:21 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-29  9:41 [PATCH bpf-next 1/3] libbpf: Drop redundant self-loop in emit_check_err Daniel Borkmann
2026-05-29  9:41 ` [PATCH bpf-next 2/3] libbpf: Skip hash computation when loader generation failed Daniel Borkmann
2026-05-29 10:21   ` sashiko-bot [this message]
2026-05-29 13:49     ` Daniel Borkmann
2026-05-29  9:41 ` [PATCH bpf-next 3/3] libbpf: Also reset {insn,data}_cur on realloc failure Daniel Borkmann
2026-05-29 10:20   ` bot+bpf-ci
2026-05-29 11:22     ` Daniel Borkmann
2026-06-01  0:50 ` [PATCH bpf-next 1/3] libbpf: Drop redundant self-loop in emit_check_err patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260529102131.B66FC1F00898@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox