Projects
openEuler:24.03
libbpf
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 9
View file
_service:tar_scm:libbpf.spec
Changed
@@ -4,7 +4,7 @@ Name: %{githubname} Version: %{githubver} -Release: 1 +Release: 2 Summary: Libbpf library License: LGPLv2 or BSD @@ -16,6 +16,7 @@ Patch0000: backport-libbpf-Ensure-FD-3-during-bpf_map__reuse_fd.patch Patch0001: backport-libbpf-Ensure-libbpf-always-opens-files-with-O_CLOEX.patch Patch0002: backport-libbpf-Set-close-on-exec-flag-on-gzopen.patch +Patch0003: backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch # This package supersedes libbpf from kernel-tools, # which has default Epoch: 0. By having Epoch: 1 @@ -68,6 +69,10 @@ %{_libdir}/libbpf.a %changelog +* Mon Apr 15 2024 zhangmingyi <zhangmingyi5@huawei.com> 2:1.2.2-2 +- backport patches from upstream: + backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch + * Fri Jan 19 2024 zhangmingyi <zhangmingyi5@huawei.com> 2:1.2.2-1 - update to version 1.2.2
View file
_service:tar_scm:backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch
Added
@@ -0,0 +1,65 @@ +From c008eb921eec064f01263b2a5577dc668b27b0cc Mon Sep 17 00:00:00 2001 +From: Mingyi Zhang <zhangmingyi5@huawei.com> +Date: Thu, 21 Dec 2023 11:39:47 +0800 +Subject: PATCH libbpf: Fix NULL pointer dereference in + bpf_object__collect_prog_relos + +An issue occurred while reading an ELF file in libbpf.c during fuzzing: + + Program received signal SIGSEGV, Segmentation fault. + 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 + 4206 in libbpf.c + (gdb) bt + #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 + #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706 + #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437 + #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497 + #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16 + #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one () + #6 0x000000000087ad92 in tracing::span::Span::in_scope () + #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir () + #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} () + #9 0x00000000005f2601 in main () + (gdb) + +scn_data was null at this code(tools/lib/bpf/src/libbpf.c): + + if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) { + +The scn_data is derived from the code above: + + scn = elf_sec_by_idx(obj, sec_idx); + scn_data = elf_sec_data(obj, scn); + + relo_sec_name = elf_sec_str(obj, shdr->sh_name); + sec_name = elf_sec_name(obj, scn); + if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL + return -EINVAL; + +In certain special scenarios, such as reading a malformed ELF file, +it is possible that scn_data may be a null pointer + +Signed-off-by: Mingyi Zhang <zhangmingyi5@huawei.com> +Signed-off-by: Xin Liu <liuxin350@huawei.com> +Signed-off-by: Changye Wu <wuchangye@huawei.com> +Signed-off-by: Andrii Nakryiko <andrii@kernel.org> +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Acked-by: Daniel Borkmann <daniel@iogearbox.net> +Link: https://lore.kernel.org/bpf/20231221033947.154564-1-liuxin350@huawei.com +--- + src/libbpf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libbpf.c b/src/libbpf.c +index ac54ebc06..ebcfb2147 100644 +--- a/src/libbpf.c ++++ b/src/libbpf.c +@@ -4355,6 +4355,8 @@ bpf_object__collect_prog_relos(struct bpf_object *obj, Elf64_Shdr *shdr, Elf_Dat + + scn = elf_sec_by_idx(obj, sec_idx); + scn_data = elf_sec_data(obj, scn); ++ if (!scn_data) ++ return -LIBBPF_ERRNO__FORMAT; + + relo_sec_name = elf_sec_str(obj, shdr->sh_name); + sec_name = elf_sec_name(obj, scn);
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2