From 0c1a912a3610a418b0e9134806b2ef13db6ab7a1 Mon Sep 17 00:00:00 2001 From: zhang-mingyi66 Date: Mon, 15 Apr 2024 16:44:16 +0800 Subject: [PATCH] backport patches from upstream backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch backport-libbpf-Fix-str_has_sfxs-return-value.patch backport-libbpf-Initialize-err-in-probe_map_create.patch (cherry picked from commit e55c477544ff210c205ad481d168cd7a30ad43ad) --- ...pointer-dereference-in_bpf_object__c.patch | 65 +++++++++++++++++++ ...libbpf-Fix-str_has_sfxs-return-value.patch | 35 ++++++++++ ...f-Initialize-err-in-probe_map_create.patch | 35 ++++++++++ libbpf.spec | 11 +++- 4 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch create mode 100644 backport-libbpf-Fix-str_has_sfxs-return-value.patch create mode 100644 backport-libbpf-Initialize-err-in-probe_map_create.patch diff --git a/backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch b/backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch new file mode 100644 index 0000000..9c47564 --- /dev/null +++ b/backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch @@ -0,0 +1,65 @@ +From c008eb921eec064f01263b2a5577dc668b27b0cc Mon Sep 17 00:00:00 2001 +From: Mingyi Zhang +Date: Thu, 21 Dec 2023 11:39:47 +0800 +Subject: [PATCH] libbpf: Fix NULL pointer dereference in + bpf_object__collect_prog_relos + +An issue occurred while reading an ELF file in libbpf.c during fuzzing: + + Program received signal SIGSEGV, Segmentation fault. + 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 + 4206 in libbpf.c + (gdb) bt + #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 + #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706 + #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437 + #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497 + #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16 + #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one () + #6 0x000000000087ad92 in tracing::span::Span::in_scope () + #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir () + #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} () + #9 0x00000000005f2601 in main () + (gdb) + +scn_data was null at this code(tools/lib/bpf/src/libbpf.c): + + if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) { + +The scn_data is derived from the code above: + + scn = elf_sec_by_idx(obj, sec_idx); + scn_data = elf_sec_data(obj, scn); + + relo_sec_name = elf_sec_str(obj, shdr->sh_name); + sec_name = elf_sec_name(obj, scn); + if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL + return -EINVAL; + +In certain special scenarios, such as reading a malformed ELF file, +it is possible that scn_data may be a null pointer + +Signed-off-by: Mingyi Zhang +Signed-off-by: Xin Liu +Signed-off-by: Changye Wu +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20231221033947.154564-1-liuxin350@huawei.com +--- + src/libbpf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libbpf.c b/src/libbpf.c +index ac54ebc06..ebcfb2147 100644 +--- a/src/libbpf.c ++++ b/src/libbpf.c +@@ -4355,6 +4355,8 @@ bpf_object__collect_prog_relos(struct bpf_object *obj, Elf64_Shdr *shdr, Elf_Dat + + scn = elf_sec_by_idx(obj, sec_idx); + scn_data = elf_sec_data(obj, scn); ++ if (!scn_data) ++ return -LIBBPF_ERRNO__FORMAT; + + relo_sec_name = elf_sec_str(obj, shdr->sh_name); + sec_name = elf_sec_name(obj, scn); diff --git a/backport-libbpf-Fix-str_has_sfxs-return-value.patch b/backport-libbpf-Fix-str_has_sfxs-return-value.patch new file mode 100644 index 0000000..ca09bd0 --- /dev/null +++ b/backport-libbpf-Fix-str_has_sfxs-return-value.patch @@ -0,0 +1,35 @@ +From 8663289b5199c67bc2bcf82a1ec91ef874df2813 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 19 Jul 2022 12:53:01 +0300 +Subject: [PATCH] libbpf: Fix str_has_sfx()'s return value + +The return from strcmp() is inverted so it wrongly returns true instead +of false and vice versa. + +Fixes: a1c9d61b19cb ("libbpf: Improve library identification for uprobe binary path resolution") +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Borkmann +Acked-by: Martin KaFai Lau +Cc: Alan Maguire +Link: https://lore.kernel.org/bpf/YtZ+/dAA195d99ak@kili +--- + src/libbpf_internal.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/libbpf_internal.h b/src/libbpf_internal.h +index f01dbab49..4135ae0a2 100644 +--- a/src/libbpf_internal.h ++++ b/src/libbpf_internal.h +@@ -108,9 +108,9 @@ static inline bool str_has_sfx(const char *str, const char *sfx) + size_t str_len = strlen(str); + size_t sfx_len = strlen(sfx); + +- if (sfx_len <= str_len) +- return strcmp(str + str_len - sfx_len, sfx); +- return false; ++ if (sfx_len > str_len) ++ return false; ++ return strcmp(str + str_len - sfx_len, sfx) == 0; + } + + /* Symbol versioning is different between static and shared library. diff --git a/backport-libbpf-Initialize-err-in-probe_map_create.patch b/backport-libbpf-Initialize-err-in-probe_map_create.patch new file mode 100644 index 0000000..39a93b8 --- /dev/null +++ b/backport-libbpf-Initialize-err-in-probe_map_create.patch @@ -0,0 +1,35 @@ +From bd1e5cff31d49a9b4beb293a8d96b609cd535fb7 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Sun, 31 Jul 2022 19:51:09 -0700 +Subject: [PATCH] libbpf: Initialize err in probe_map_create + +GCC-11 warns about the possibly unitialized err variable in +probe_map_create: + +libbpf_probes.c: In function 'probe_map_create': +libbpf_probes.c:361:38: error: 'err' may be used uninitialized in this function [-Werror=maybe-uninitialized] + 361 | return fd < 0 && err == exp_err ? 1 : 0; + | ~~~~^~~~~~~~~~ + +Fixes: 878d8def0603 ("libbpf: Rework feature-probing APIs") +Signed-off-by: Florian Fainelli +Signed-off-by: Andrii Nakryiko +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20220801025109.1206633-1-f.fainelli@gmail.com +--- + src/libbpf_probes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libbpf_probes.c b/src/libbpf_probes.c +index 0b5398786..6d495656f 100644 +--- a/src/libbpf_probes.c ++++ b/src/libbpf_probes.c +@@ -193,7 +193,7 @@ static int probe_map_create(enum bpf_map_type map_type) + LIBBPF_OPTS(bpf_map_create_opts, opts); + int key_size, value_size, max_entries; + __u32 btf_key_type_id = 0, btf_value_type_id = 0; +- int fd = -1, btf_fd = -1, fd_inner = -1, exp_err = 0, err; ++ int fd = -1, btf_fd = -1, fd_inner = -1, exp_err = 0, err = 0; + + opts.map_ifindex = ifindex; + diff --git a/libbpf.spec b/libbpf.spec index 2ea9bc1..a847ba2 100644 --- a/libbpf.spec +++ b/libbpf.spec @@ -4,7 +4,7 @@ Name: %{githubname} Version: %{githubver} -Release: 11 +Release: 12 Summary: Libbpf library License: LGPLv2 or BSD @@ -38,6 +38,9 @@ Patch0021: backport-libbpf-Fix-realloc-API-handling-in-zero-sized-edge-case Patch0022: backport-libbpf-Set-close-on-exec-flag-on-gzopen.patch Patch0023: backport-libbpf-Fix-is_pow_of_2.patch Patch0024: backport-libbpf-make-RINGBUF-map-size-adjustments-more-eagerly.patch +Patch0025: backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch +Patch0026: backport-libbpf-Fix-str_has_sfxs-return-value.patch +Patch0027: backport-libbpf-Initialize-err-in-probe_map_create.patch # This package supersedes libbpf from kernel-tools, # which has default Epoch: 0. By having Epoch: 1 @@ -90,6 +93,12 @@ developing applications that use %{name} %{_libdir}/libbpf.a %changelog +* Mon Apr 15 2024 zhangmingyi 2:0.8.1-12 +- backport patches from upstream: + backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch + backport-libbpf-Fix-str_has_sfxs-return-value.patch + backport-libbpf-Initialize-err-in-probe_map_create.patch + * Thu Dec 7 2023 zhangmingyi 2:0.8.1-11 - backport patches from upstream: backport-libbpf-Fix-realloc-API-handling-in-zero-sized-edge-cases.patch -- Gitee