* [PATCH bpf-next] libbpf: fix potential uninit memory read
@ 2021-12-14 1:00 Andrii Nakryiko
2021-12-14 14:40 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Andrii Nakryiko @ 2021-12-14 1:00 UTC (permalink / raw)
To: bpf, ast, daniel; +Cc: andrii, kernel-team
In case of BPF_CORE_TYPE_ID_LOCAL we fill out target result explicitly.
But targ_res itself isn't initialized in such a case, and subsequent
call to bpf_core_patch_insn() might read uninitialized field (like
fail_memsz_adjust in this case). So ensure that targ_res is
zero-initialized for BPF_CORE_TYPE_ID_LOCAL case.
This was reported by Coverity static analyzer.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
tools/lib/bpf/relo_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c
index c770483b4c36..910865e29edc 100644
--- a/tools/lib/bpf/relo_core.c
+++ b/tools/lib/bpf/relo_core.c
@@ -1223,6 +1223,7 @@ int bpf_core_apply_relo_insn(const char *prog_name, struct bpf_insn *insn,
/* TYPE_ID_LOCAL relo is special and doesn't need candidate search */
if (relo->kind == BPF_CORE_TYPE_ID_LOCAL) {
/* bpf_insn's imm value could get out of sync during linking */
+ memset(&targ_res, 0, sizeof(targ_res));
targ_res.validate = false;
targ_res.poison = false;
targ_res.orig_val = local_spec->root_type_id;
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH bpf-next] libbpf: fix potential uninit memory read
2021-12-14 1:00 [PATCH bpf-next] libbpf: fix potential uninit memory read Andrii Nakryiko
@ 2021-12-14 14:40 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-12-14 14:40 UTC (permalink / raw)
To: Andrii Nakryiko; +Cc: bpf, ast, daniel, kernel-team
Hello:
This patch was applied to bpf/bpf-next.git (master)
by Daniel Borkmann <daniel@iogearbox.net>:
On Mon, 13 Dec 2021 17:00:32 -0800 you wrote:
> In case of BPF_CORE_TYPE_ID_LOCAL we fill out target result explicitly.
> But targ_res itself isn't initialized in such a case, and subsequent
> call to bpf_core_patch_insn() might read uninitialized field (like
> fail_memsz_adjust in this case). So ensure that targ_res is
> zero-initialized for BPF_CORE_TYPE_ID_LOCAL case.
>
> This was reported by Coverity static analyzer.
>
> [...]
Here is the summary with links:
- [bpf-next] libbpf: fix potential uninit memory read
https://git.kernel.org/bpf/bpf-next/c/4581e676d3be
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-12-14 14:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-14 1:00 [PATCH bpf-next] libbpf: fix potential uninit memory read Andrii Nakryiko
2021-12-14 14:40 ` patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.