From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Jakub Kicinski <jakub.kicinski@netronome.com>,
Wen Yang <wen.yang99@zte.com.cn>,
Daniel Borkmann <daniel@iogearbox.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 058/123] tools: bpftool: fix potential NULL pointer dereference in do_load
Date: Wed, 5 Dec 2018 04:34:50 -0500 [thread overview]
Message-ID: <20181205093555.5386-58-sashal@kernel.org> (raw)
In-Reply-To: <20181205093555.5386-1-sashal@kernel.org>
From: Jakub Kicinski <jakub.kicinski@netronome.com>
[ Upstream commit dde7011a824cfa815b03f853ec985ff46b740939 ]
This patch fixes a possible null pointer dereference in
do_load, detected by the semantic patch deref_null.cocci,
with the following warning:
./tools/bpf/bpftool/prog.c:1021:23-25: ERROR: map_replace is NULL but dereferenced.
The following code has potential null pointer references:
881 map_replace = reallocarray(map_replace, old_map_fds + 1,
882 sizeof(*map_replace));
883 if (!map_replace) {
884 p_err("mem alloc failed");
885 goto err_free_reuse_maps;
886 }
...
1019 err_free_reuse_maps:
1020 for (i = 0; i < old_map_fds; i++)
1021 close(map_replace[i].fd);
1022 free(map_replace);
Fixes: 3ff5a4dc5d89 ("tools: bpftool: allow reuse of maps with bpftool prog load")
Co-developed-by: Wen Yang <wen.yang99@zte.com.cn>
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/bpf/bpftool/prog.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
index dce960d22106..0de024a6cc2b 100644
--- a/tools/bpf/bpftool/prog.c
+++ b/tools/bpf/bpftool/prog.c
@@ -749,6 +749,7 @@ static int do_load(int argc, char **argv)
}
NEXT_ARG();
} else if (is_prefix(*argv, "map")) {
+ void *new_map_replace;
char *endptr, *name;
int fd;
@@ -782,12 +783,15 @@ static int do_load(int argc, char **argv)
if (fd < 0)
goto err_free_reuse_maps;
- map_replace = reallocarray(map_replace, old_map_fds + 1,
- sizeof(*map_replace));
- if (!map_replace) {
+ new_map_replace = reallocarray(map_replace,
+ old_map_fds + 1,
+ sizeof(*map_replace));
+ if (!new_map_replace) {
p_err("mem alloc failed");
goto err_free_reuse_maps;
}
+ map_replace = new_map_replace;
+
map_replace[old_map_fds].idx = idx;
map_replace[old_map_fds].name = name;
map_replace[old_map_fds].fd = fd;
--
2.17.1
next prev parent reply other threads:[~2018-12-05 9:34 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20181205093555.5386-1-sashal@kernel.org>
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 013/123] tools: bpftool: prevent infinite loop in get_fdinfo() Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 017/123] netfilter: nf_conncount: use spin_lock_bh instead of spin_lock Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 018/123] netfilter: nf_conncount: fix list_del corruption in conn_free Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 019/123] netfilter: nf_conncount: fix unexpected permanent node of list Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 020/123] netfilter: nf_tables: don't skip inactive chains during update Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 023/123] netfilter: xt_RATEEST: remove netns exit routine Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 024/123] netfilter: nf_tables: fix use-after-free when deleting compat expressions Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 040/123] bpf: allocate local storage buffers using GFP_ATOMIC Sasha Levin
2018-12-07 6:40 ` Naresh Kamboju
2018-12-07 6:55 ` Naresh Kamboju
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 042/123] netfilter: xt_hashlimit: fix a possible memory leak in htable_create() Sasha Levin
2018-12-05 9:34 ` Sasha Levin [this message]
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 065/123] bpf: fix check of allowed specifiers in bpf_trace_printk Sasha Levin
2018-12-05 9:34 ` [PATCH AUTOSEL 4.19 067/123] ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 075/123] netfilter: ipv6: Preserve link scope traffic original oif Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 077/123] netfilter: add missing error handling code for register functions Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 078/123] netfilter: nat: fix double register in masquerade modules Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 079/123] netfilter: nf_conncount: remove wrong condition check routine Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 083/123] usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 084/123] net: phy: add workaround for issue where PHY driver doesn't bind to the device Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 085/123] net: thunderx: fix NULL pointer dereference in nic_remove Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 086/123] lan743x: fix return value for lan743x_tx_napi_poll Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 087/123] lan743x: Enable driver to work with LAN7431 Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 089/123] netfilter: nf_tables: deactivate expressions in rule replecement routine Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 094/123] igb: fix uninitialized variables Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 095/123] ixgbe: recognize 1000BaseLX SFP modules as 1Gbps Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 096/123] rapidio/rionet: do not free skb before reading its length Sasha Levin
2018-12-05 9:35 ` [PATCH AUTOSEL 4.19 097/123] net: hisilicon: remove unexpected free_netdev Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181205093555.5386-58-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=daniel@iogearbox.net \
--cc=jakub.kicinski@netronome.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wen.yang99@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).