An invalid memory access was discovered by a fuzz test

BPF List
 help / color / mirror / Atom feed

* An invalid memory access was discovered by a fuzz test
@ 2023-12-19 14:15 Xin Liu
  2023-12-19 15:06 ` Daniel Borkmann
  0 siblings, 1 reply; 2+ messages in thread
From: Xin Liu @ 2023-12-19 14:15 UTC (permalink / raw)
  To: ast, daniel, andrii, martin.lau, song, yhs, john.fastabend,
	kpsingh, sdf, haoluo, jolsa
  Cc: bpf, linux-kernel, yanan, wuchangye, xiesongyang, kongweibin2,
	liuxin350, tianmuyang, zhangmingyi5

Hi all:

The issue occurred while reading an ELF file in libbpf.c during fuzzing

    Using host libthread_db library "/usr/lib64/libthread_db.so.1".
    0.000243187s DEBUG total counters = 7816
    0.000346533s DEBUG binary maps to 400000-155f280, len = 18215552
    0.000765462s DEBUG init_fuzzer:run_seed: running initial seed path="crash-sigsegv-b905489aaeb39555ff1245117f1efd1677195b9ac1437bfb18b8d2d04099704b"

    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
    4206 in libbpf.c
    (gdb) bt
    #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
    #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706
    #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437
    #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497
    #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16
    #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one ()
    #6 0x000000000087ad92 in tracing::span::Span::in_scope ()
    #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir ()
    #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} ()
    #9 0x00000000005f2601 in main ()
    (gdb)

then, I checked the code and found that scn_data was null at this code(tools/lib/bpf/src/libbpf.c):

    if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {
    
The scn_data is derived from the code above:
    
    scn = elf_sec_by_idx(obj, sec_idx);
    scn_data = elf_sec_data(obj, scn);
    
    relo_sec_name = elf_sec_str(obj, shdr->sh_name);
    sec_name = elf_sec_name(obj, scn);
    if (!relo_sec_name || !sec_name)    // don't check whether scn_data is NULL
    	return -EINVAL;

Do sec_data and sec_name always occur together? Is it possible that scn_data is NULL but sec_name
is not NULL? libbpf uses sec_name to determine if it’s a null pointer, Maybe we should do some
check here.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: An invalid memory access was discovered by a fuzz test
  2023-12-19 14:15 An invalid memory access was discovered by a fuzz test Xin Liu
@ 2023-12-19 15:06 ` Daniel Borkmann
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Borkmann @ 2023-12-19 15:06 UTC (permalink / raw)
  To: Xin Liu, ast, andrii, martin.lau, song, yhs, john.fastabend,
	kpsingh, sdf, haoluo, jolsa
  Cc: bpf, linux-kernel, yanan, wuchangye, xiesongyang, kongweibin2,
	tianmuyang, zhangmingyi5

On 12/19/23 3:15 PM, Xin Liu wrote:
> Hi all:
> 
> The issue occurred while reading an ELF file in libbpf.c during fuzzing
> 
>      Using host libthread_db library "/usr/lib64/libthread_db.so.1".
>      0.000243187s DEBUG total counters = 7816
>      0.000346533s DEBUG binary maps to 400000-155f280, len = 18215552
>      0.000765462s DEBUG init_fuzzer:run_seed: running initial seed path="crash-sigsegv-b905489aaeb39555ff1245117f1efd1677195b9ac1437bfb18b8d2d04099704b"
> 
>      Program received signal SIGSEGV, Segmentation fault.
>      0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
>      4206 in libbpf.c
>      (gdb) bt
>      #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
>      #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706
>      #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437
>      #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497
>      #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16
>      #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one ()
>      #6 0x000000000087ad92 in tracing::span::Span::in_scope ()
>      #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir ()
>      #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} ()
>      #9 0x00000000005f2601 in main ()
>      (gdb)
> 
> then, I checked the code and found that scn_data was null at this code(tools/lib/bpf/src/libbpf.c):
> 
>      if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {
>      
> The scn_data is derived from the code above:
>      
>      scn = elf_sec_by_idx(obj, sec_idx);
>      scn_data = elf_sec_data(obj, scn);
>      
>      relo_sec_name = elf_sec_str(obj, shdr->sh_name);
>      sec_name = elf_sec_name(obj, scn);
>      if (!relo_sec_name || !sec_name)    // don't check whether scn_data is NULL
>      	return -EINVAL;
> 
> Do sec_data and sec_name always occur together? Is it possible that scn_data is NULL but sec_name
> is not NULL? libbpf uses sec_name to determine if it’s a null pointer, Maybe we should do some
> check here.

Weird, is this based on a malformed elf given sec_idx comes from shdr->sh_info?
It probably makes sense to NULL check and then return with -LIBBPF_ERRNO__FORMAT
as we do elsewhere. Do you want to send a fix?

Thanks,
Daniel

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-12-19 15:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-19 14:15 An invalid memory access was discovered by a fuzz test Xin Liu
2023-12-19 15:06 ` Daniel Borkmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox