From nobody Fri Dec 19 14:09:44 2025 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E106336AED; Wed, 20 Dec 2023 13:41:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.19.163.252]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4SwF8R1tSfzWk3v; Wed, 20 Dec 2023 21:41:27 +0800 (CST) Received: from dggpeml500010.china.huawei.com (unknown [7.185.36.155]) by mail.maildlp.com (Postfix) with ESMTPS id 1B4D9180085; Wed, 20 Dec 2023 21:41:47 +0800 (CST) Received: from huawei.com (10.175.101.6) by dggpeml500010.china.huawei.com (7.185.36.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 20 Dec 2023 21:41:46 +0800 From: Xin Liu To: , , , , , , , , , , CC: , , , , , , , , Subject: [PATCH] fix null pointer dereference in bpf_object__collect_prog_relos Date: Wed, 20 Dec 2023 21:41:51 +0800 Message-ID: <20231220134151.144224-1-liuxin350@huawei.com> X-Mailer: git-send-email 2.33.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To dggpeml500010.china.huawei.com (7.185.36.155) Content-Type: text/plain; charset="utf-8" From: zhangmingyi a issue occurred while reading an ELF file in libbpf.c during fuzzing: Program received signal SIGSEGV, Segmentation fault. 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 4206 in libbpf.c (gdb) bt #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706 #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437 #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497 #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzz= er.c:16 #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one () #6 0x000000000087ad92 in tracing::span::Span::in_scope () #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir () #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} () #9 0x00000000005f2601 in main () (gdb) scn_data was null at this code(tools/lib/bpf/src/libbpf.c): if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >=3D scn_data->d_size) { The scn_data is derived from the code above: =20 scn =3D elf_sec_by_idx(obj, sec_idx); scn_data =3D elf_sec_data(obj, scn); relo_sec_name =3D elf_sec_str(obj, shdr->sh_name); sec_name =3D elf_sec_name(obj, scn); if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL return -EINVAL; In certain special scenarios, such as reading a malformed ELF file, it is possible that scn_data may be a null pointer Signed-off-by: zhangmingyi Signed-off-by: Xin Liu Signed-off-by: Changye Wu --- tools/lib/bpf/libbpf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c index e067be95da3c..df1b550f7460 100644 --- a/tools/lib/bpf/libbpf.c +++ b/tools/lib/bpf/libbpf.c @@ -4344,6 +4344,8 @@ bpf_object__collect_prog_relos(struct bpf_object *obj= , Elf64_Shdr *shdr, Elf_Dat =20 scn =3D elf_sec_by_idx(obj, sec_idx); scn_data =3D elf_sec_data(obj, scn); + if (!scn_data) + return -LIBBPF_ERRNO__FORMAT; =20 relo_sec_name =3D elf_sec_str(obj, shdr->sh_name); sec_name =3D elf_sec_name(obj, scn); --=20 2.33.0