Re: [PATCH] libbpf: add validation to BTF's variable type ID

BPF List
 help / color / mirror / Atom feed

From: Anne Macedo <annemacedo@linux.microsoft.com>
To: John Fastabend <john.fastabend@gmail.com>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Isabella Basso <isabbasso@riseup.net>,
	Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH] libbpf: add validation to BTF's variable type ID
Date: Fri, 30 Sep 2022 10:00:14 -0300	[thread overview]
Message-ID: <92157e05-e383-ed4b-8b01-2981dbf5afd3@linux.microsoft.com> (raw)
In-Reply-To: <63365532d416f_233df20899@john.notmuch>

On 29/09/22 23:32, John Fastabend wrote:
> Anne Macedo wrote:
>> If BTF is corrupted, a SEGV may occur due to a null pointer dereference on
>> bpf_object__init_user_btf_map.
>>
>> This patch adds a validation that checks whether the DATASEC's variable
>> type ID is null. If so, it raises a warning.
>>
>> Reported by oss-fuzz project [1].
>>
>> A similar patch for the same issue exists on [2]. However, the code is
>> unreachable when using oss-fuzz data.
>>
>> [1] https://github.com/libbpf/libbpf/issues/484
>> [2] https://patchwork.kernel.org/project/netdevbpf/patch/20211103173213.1376990-3-andrii@kernel.org/
>>
>> Reviewed-by: Isabella Basso <isabbasso@riseup.net>
>> Signed-off-by: Anne Macedo <annemacedo@linux.microsoft.com>
>> ---
>>   tools/lib/bpf/libbpf.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
>> index 184ce1684dcd..0c88612ab7c4 100644
>> --- a/tools/lib/bpf/libbpf.c
>> +++ b/tools/lib/bpf/libbpf.c
>> @@ -2464,6 +2464,10 @@ static int bpf_object__init_user_btf_map(struct bpf_object *obj,
>>   
>>   	vi = btf_var_secinfos(sec) + var_idx;
>>   	var = btf__type_by_id(obj->btf, vi->type);
>> +	if (!var || !btf_is_var(var)) {
>> +		pr_warn("map #%d: non-VAR type seen", var_idx);
>> +		return -EINVAL;
>> +	}
>>   	var_extra = btf_var(var);
>>   	map_name = btf__name_by_offset(obj->btf, var->name_off);
>>   
>> -- 
>> 2.30.2
>>
> 
> 
> I don't know abouut this. A quick scan looks like this type_by_id is
> used lots of places. And seems corrupted BTF could cause faults
> and confusiuon in other spots as well. I'm not sure its worth making
> libbpf survive corrupted BTF. OTOH this specific patch looks ok.
> 

I was planning on creating a function to validate BTF for these kinds of 
corruptions, but decided to keep this patch simple. This could be a good 
idea for some future work – moving all of the validations to 
bpf_object__init_btf() or to a helper function.

> How did it get corrupted in the first place? Curious to see if
> others want to harden libbpf like this.
> 

There's a test case by oss-fuzz [1] that generated this corrupted BTF. 
There's also some C code for replicating this bug [2] using the oss-fuzz 
data.

On a side note, fixing this bug would help oss-fuzz find other, more 
relevant, bugs.

Found the original oss-fuzz report at [3].

[1] https://oss-fuzz.com/download?testcase_id=5041748798210048
[2] https://github.com/libbpf/libbpf/issues/484#issuecomment-1250020929
[3] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42345

next prev parent reply	other threads:[~2022-09-30 13:00 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-29 16:05 [PATCH] libbpf: add validation to BTF's variable type ID Anne Macedo
2022-09-30  2:32 ` John Fastabend
2022-09-30 13:00   ` Anne Macedo [this message]
2022-09-30 22:38     ` Andrii Nakryiko
2022-10-03 21:26       ` Paul Moore
2022-10-05 22:42         ` Andrii Nakryiko
2022-10-06 17:01           ` Anne Macedo
2022-10-06 17:07             ` Andrii Nakryiko
2022-10-06 17:54               ` Anne Macedo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=92157e05-e383-ed4b-8b01-2981dbf5afd3@linux.microsoft.com \
    --to=annemacedo@linux.microsoft.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=haoluo@google.com \
    --cc=isabbasso@riseup.net \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=paul@paul-moore.com \
    --cc=sdf@google.com \
    --cc=song@kernel.org \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox