From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jakub Kicinski Subject: Re: [PATCH 3/4] tools: bpftool: fix potential NULL pointer dereference in do_load Date: Wed, 21 Nov 2018 09:30:44 -0800 Message-ID: <20181121093044.3c34b66b@cakuba.netronome.com> References: <1542786192-19164-1-git-send-email-wen.yang99@zte.com.cn> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: wen.yang99@zte.com.cn, Alexei Starovoitov , Daniel Borkmann , Quentin Monnet , Jiong Wang , guro@fb.com, Sandipan Das , John Fastabend , netdev , LKML , zhong.weidong@zte.com.cn, wang.yi59@zte.com.cn, julia.lawall@lip6.fr To: Y Song Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Wed, 21 Nov 2018 09:18:06 -0800, Y Song wrote: > On Tue, Nov 20, 2018 at 11:42 PM Wen Yang wrote: > > > > This patch fixes a possible null pointer dereference in > > do_load, detected by the semantic patch > > deref_null.cocci, with the following warning: > > > > ./tools/bpf/bpftool/prog.c:1021:23-25: ERROR: map_replace is NULL but dereferenced. > > > > The following code has potential null pointer references: > > 881 map_replace = reallocarray(map_replace, old_map_fds + 1, > > 882 sizeof(*map_replace)); > > 883 if (!map_replace) { > > 884 p_err("mem alloc failed"); > > 885 goto err_free_reuse_maps; > > 886 } > > > > ... > > 1019 err_free_reuse_maps: > > 1020 for (i = 0; i < old_map_fds; i++) > > 1021 close(map_replace[i].fd); > > 1022 free(map_replace); > > I did not see any issues here. > We have code looks like: > 867 struct map_replace *map_replace = NULL; > 868 struct bpf_program *prog = NULL, *pos; > 869 unsigned int old_map_fds = 0; > ... > 948 map_replace = reallocarray(map_replace, > old_map_fds + 1, > 949 sizeof(*map_replace)); > 950 if (!map_replace) { > 951 p_err("mem alloc failed"); > 952 goto err_free_reuse_maps; > 953 } > 954 map_replace[old_map_fds].idx = idx; > 955 map_replace[old_map_fds].name = name; > 956 map_replace[old_map_fds].fd = fd; > 957 old_map_fds++; > ... > > old_map_fds becomes non zero if and only if map_replace is not NULL. Note that this is a realloc in a loop, and map_replace will become NULL again if realloc fails. We should check the return value of realloc() without loosing the pointer to the old value. No? > > Signed-off-by: Wen Yang > > Reviewed-by: Tan Hu > > CC: Julia Lawall > > --- > > tools/bpf/bpftool/prog.c | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c > > index 5302ee2..de42187 100644 > > --- a/tools/bpf/bpftool/prog.c > > +++ b/tools/bpf/bpftool/prog.c > > @@ -1017,8 +1017,9 @@ static int do_load(int argc, char **argv) > > err_close_obj: > > bpf_object__close(obj); > > err_free_reuse_maps: > > - for (i = 0; i < old_map_fds; i++) > > - close(map_replace[i].fd); > > + if (map_replace) > > + for (i = 0; i < old_map_fds; i++) > > + close(map_replace[i].fd); > > free(map_replace); > > return -1; > > } > > -- > > 2.9.5 > >