1. Patchew
  2. linux
  3. View series

[PATCH bpf-next] bpf: fix oob in btf_name_valid_section

Edward Adam Davis posted 1 patch 1 year, 11 months ago 
kernel/bpf/btf.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH bpf-next] bpf: fix oob in btf_name_valid_section
Posted by Edward Adam Davis 1 year, 11 months ago 
Check the first char of the BTF DATASEC names.

Fixes: bd70a8fb7ca4 ("bpf: Allow all printable characters in BTF DATASEC names")
Reported-and-tested-by: syzbot+cc32304f6487ebff9b70@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 kernel/bpf/btf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 170d017e8e4a..dda0aa0d7175 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -816,6 +816,8 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
 	const char *src = btf_str_by_offset(btf, offset);
 	const char *src_limit;
 
+	if (!isprint(*src))
+		return false;
 	/* set a limit on identifier length */
 	src_limit = src + KSYM_NAME_LEN;
 	src++;
-- 
2.43.0
Re: [PATCH bpf-next] bpf: fix oob in btf_name_valid_section
Posted by Eduard Zingerman 1 year, 11 months ago 
On Mon, 2024-03-11 at 21:16 +0800, Edward Adam Davis wrote:
> Check the first char of the BTF DATASEC names.
> 
> Fixes: bd70a8fb7ca4 ("bpf: Allow all printable characters in BTF DATASEC names")
> Reported-and-tested-by: syzbot+cc32304f6487ebff9b70@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  kernel/bpf/btf.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 170d017e8e4a..dda0aa0d7175 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -816,6 +816,8 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
>  	const char *src = btf_str_by_offset(btf, offset);
>  	const char *src_limit;
>  
> +	if (!isprint(*src))
> +		return false;
>  	/* set a limit on identifier length */
>  	src_limit = src + KSYM_NAME_LEN;
>  	src++;

Hi Edward,

Thank you for fixing this.
I wonder, maybe something like below would be simpler?

Thanks,
Eduard

---

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 170d017e8e4a..3d95d5398c8a 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -818,7 +818,6 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
 
        /* set a limit on identifier length */
        src_limit = src + KSYM_NAME_LEN;
-       src++;
        while (*src && src < src_limit) {
                if (!isprint(*src))
                        return false;
Re: [PATCH bpf-next] bpf: fix oob in btf_name_valid_section
Posted by Andrii Nakryiko 1 year, 11 months ago 
On Mon, Mar 11, 2024 at 7:48 AM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> On Mon, 2024-03-11 at 21:16 +0800, Edward Adam Davis wrote:
> > Check the first char of the BTF DATASEC names.
> >
> > Fixes: bd70a8fb7ca4 ("bpf: Allow all printable characters in BTF DATASEC names")
> > Reported-and-tested-by: syzbot+cc32304f6487ebff9b70@syzkaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> > ---
> >  kernel/bpf/btf.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> > index 170d017e8e4a..dda0aa0d7175 100644
> > --- a/kernel/bpf/btf.c
> > +++ b/kernel/bpf/btf.c
> > @@ -816,6 +816,8 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
> >       const char *src = btf_str_by_offset(btf, offset);
> >       const char *src_limit;
> >
> > +     if (!isprint(*src))
> > +             return false;
> >       /* set a limit on identifier length */
> >       src_limit = src + KSYM_NAME_LEN;
> >       src++;
>
> Hi Edward,
>
> Thank you for fixing this.
> I wonder, maybe something like below would be simpler?
>
> Thanks,
> Eduard
>
> ---
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 170d017e8e4a..3d95d5398c8a 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -818,7 +818,6 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
>
>         /* set a limit on identifier length */
>         src_limit = src + KSYM_NAME_LEN;
> -       src++;

ah, __btf_name_valid() has a separate __btf_name_char_ok(*src, true)
check and then skips first character :(

What Eduard proposes makes sense, we shouldn't advance src before the loop.

Eduard, I'd also say we should make __btf_name_valid() a bit more
uniform by dropping that first if and then doing

if (!__btf_name_char_ok(*src, src == src_orig))
    return false;

where we just remember original string pointer in src_orig.

WDYT?


>         while (*src && src < src_limit) {
>                 if (!isprint(*src))
>                         return false;
>
Re: [PATCH bpf-next] bpf: fix oob in btf_name_valid_section
Posted by Eduard Zingerman 1 year, 11 months ago 
On Mon, 2024-03-11 at 11:01 -0700, Andrii Nakryiko wrote:
[...]

> Eduard, I'd also say we should make __btf_name_valid() a bit more
> uniform by dropping that first if and then doing
> 
> if (!__btf_name_char_ok(*src, src == src_orig))
>     return false;
> 
> where we just remember original string pointer in src_orig.
> 
> WDYT?

Agree, this looks simpler.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.