BPF List
 help / color / mirror / Atom feed
From: Eduard Zingerman <eddyz87@gmail.com>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org,
	daniel@iogearbox.net,  martin.lau@linux.dev, kernel-team@fb.com,
	yonghong.song@linux.dev, Liu RuiTong <cnitlrt@gmail.com>
Subject: Re: [PATCH bpf-next] bpf: bpf_core_calc_relo_insn() should verify relocation type id
Date: Wed, 21 Aug 2024 10:46:18 -0700	[thread overview]
Message-ID: <a36a3307e4102c8f05df4e1d9fd44fc7b4f77c32.camel@gmail.com> (raw)
In-Reply-To: <CAEf4BzYxrD-sEe2UE7HBFBAOxd1gW9cYLwjxjTKH8_vdxQzO_Q@mail.gmail.com>

On Wed, 2024-08-21 at 09:59 -0700, Andrii Nakryiko wrote:

[...]

> > Fixes: 74753e1462e7 ("libbpf: Replace btf__type_by_id() with btf_type_by_id().")
> > Reported-by: Liu RuiTong <cnitlrt@gmail.com>
> > Closes: https://lore.kernel.org/bpf/CAK55_s6do7C+DVwbwY_7nKfUz0YLDoiA1v6X3Y9+p0sWzipFSA@mail.gmail.com/
> > Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
> > ---
> >  tools/lib/bpf/relo_core.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> > 
> > diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
> > index 63a4d5ad12d1..a04724831ebc 100644
> > --- a/tools/lib/bpf/relo_core.c
> > +++ b/tools/lib/bpf/relo_core.c
> > @@ -1297,6 +1297,11 @@ int bpf_core_calc_relo_insn(const char *prog_name,
> > 
> >         local_id = relo->type_id;
> >         local_type = btf_type_by_id(local_btf, local_id);
> > +       if (!local_type) {
> 
> This is a meaningless check at least for libbpf's implementation of
> btf_type_by_id(), it never returns NULL. Commit you point to in Fixes
> tag clearly states the differences.

That is not true on kernel side.
bpf_core_calc_relo_insn() is called from bpf_core_apply():

int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo,
                   int relo_idx, void *insn)
{
        bool need_cands = relo->kind != BPF_CORE_TYPE_ID_LOCAL;
        ...
        if (need_cands) {
                ...
                // code below would report an error if relo->type_id is bogus
                cc = bpf_core_find_cands(ctx, relo->type_id);
                if (IS_ERR(cc)) {
                        bpf_log(ctx->log, "target candidate search failed for %d\n",
                                relo->type_id);
                        err = PTR_ERR(cc);
                        goto out;
                }
                ...
        }

        err = bpf_core_calc_relo_insn((void *)ctx->log, relo, relo_idx, ctx->btf, &cands, specs,
                                      &targ_res);
        ...
}

If `need_cands` is false the bogus type_id could reach into bpf_core_calc_relo_insn().
Which is exactly the case with repro submitted by Liu.
There is also a simplified repro here:
https://github.com/kernel-patches/bpf/commit/017a9dcf17e572f9b7c32aa62a81df8ef41cef17
But I can't submit it as a test yet.

> 
> So you'd need to validate local_id directly against number of types in
> local_btf.

How is this better than a null check?

> 
> pw-bot: cr
> 
> 
> > +               pr_warn("prog '%s': relo #%d: bad type id %u\n",
> 
> nit: this part of CO-RE-related code normally uses [%u] "syntax" to
> point to BTF type IDs, please adjust for consistency

Ok


  reply	other threads:[~2024-08-21 17:46 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-21 16:46 [PATCH bpf-next] bpf: bpf_core_calc_relo_insn() should verify relocation type id Eduard Zingerman
2024-08-21 16:59 ` Andrii Nakryiko
2024-08-21 17:46   ` Eduard Zingerman [this message]
2024-08-21 19:10     ` Andrii Nakryiko
2024-08-21 19:28       ` Eduard Zingerman
2024-08-21 20:08         ` Andrii Nakryiko
2024-08-21 22:32           ` Eduard Zingerman
2024-08-21 22:38             ` Eduard Zingerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a36a3307e4102c8f05df4e1d9fd44fc7b4f77c32.camel@gmail.com \
    --to=eddyz87@gmail.com \
    --cc=andrii.nakryiko@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=cnitlrt@gmail.com \
    --cc=daniel@iogearbox.net \
    --cc=kernel-team@fb.com \
    --cc=martin.lau@linux.dev \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox