[PATCH bpf-next 0/5] libbpf ELF sanity checking improvements

[PATCH bpf-next 0/5] libbpf ELF sanity checking improvements

[Andrii Nakryiko]

Few patches fixing various issues discovered by oss-fuzz project fuzzing
bpf_object__open() call. Fixes are mostly focused around additional simple
sanity checks of ELF format: symbols, relos, section indices.

Andrii Nakryiko (5):
  libbpf: detect corrupted ELF symbols section
  libbpf: improve sanity checking during BTF fix up
  libbpf: validate that .BTF and .BTF.ext sections contain data
  libbpf: fix section counting logic
  libbpf: improve ELF relo sanitization

 tools/lib/bpf/libbpf.c | 40 +++++++++++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 11 deletions(-)

-- 
2.30.2

[PATCH bpf-next 1/5] libbpf: detect corrupted ELF symbols section

[Andrii Nakryiko]

Prevent divide-by-zero if ELF is corrupted and has zero sh_entsize.
Reported by oss-fuzz project.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
 tools/lib/bpf/libbpf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index a1bea1953df6..71f5a009010a 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -3555,7 +3555,7 @@ static int bpf_object__collect_externs(struct bpf_object *obj)
 
 	scn = elf_sec_by_idx(obj, obj->efile.symbols_shndx);
 	sh = elf_sec_hdr(obj, scn);
-	if (!sh)
+	if (!sh || sh->sh_entsize != sizeof(Elf64_Sym))
 		return -LIBBPF_ERRNO__FORMAT;
 
 	dummy_var_btf_id = add_dummy_ksym_var(obj->btf);
-- 
2.30.2

[PATCH bpf-next 2/5] libbpf: improve sanity checking during BTF fix up

[Andrii Nakryiko]

If BTF is corrupted DATASEC's variable type ID might be incorrect.
Prevent this easy to detect situation with extra NULL check.
Reported by oss-fuzz project.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
 tools/lib/bpf/libbpf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 71f5a009010a..4537ce6d54ce 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -2754,7 +2754,7 @@ static int btf_fixup_datasec(struct bpf_object *obj, struct btf *btf,
 		t_var = btf__type_by_id(btf, vsi->type);
 		var = btf_var(t_var);
 
-		if (!btf_is_var(t_var)) {
+		if (!t_var || !btf_is_var(t_var)) {
 			pr_debug("Non-VAR type seen in section %s\n", name);
 			return -EINVAL;
 		}
-- 
2.30.2

[PATCH bpf-next 3/5] libbpf: validate that .BTF and .BTF.ext sections contain data

[Andrii Nakryiko]

.BTF and .BTF.ext ELF sections should have SHT_PROGBITS type and contain
data. If they are not, ELF is invalid or corrupted, so bail out.
Otherwise this can lead to data->d_buf being NULL and SIGSEGV later on.
Reported by oss-fuzz project.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
 tools/lib/bpf/libbpf.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 4537ce6d54ce..757604b9f869 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -3271,8 +3271,12 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
 		} else if (strcmp(name, MAPS_ELF_SEC) == 0) {
 			obj->efile.btf_maps_shndx = idx;
 		} else if (strcmp(name, BTF_ELF_SEC) == 0) {
+			if (sh->sh_type != SHT_PROGBITS)
+				return -LIBBPF_ERRNO__FORMAT;
 			btf_data = data;
 		} else if (strcmp(name, BTF_EXT_ELF_SEC) == 0) {
+			if (sh->sh_type != SHT_PROGBITS)
+				return -LIBBPF_ERRNO__FORMAT;
 			btf_ext_data = data;
 		} else if (sh->sh_type == SHT_SYMTAB) {
 			/* already processed during the first pass above */
-- 
2.30.2

[PATCH bpf-next 4/5] libbpf: fix section counting logic

[Andrii Nakryiko]

e_shnum does include section #0 and as such is exactly the number of ELF
sections that we need to allocate memory for to use section indices as
array indices. Fix the off-by-one error.

This is purely accounting fix, previously we were overallocating one
too many array items. But no correctness errors otherwise.

Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
 tools/lib/bpf/libbpf.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 757604b9f869..ecea4dfaca82 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -3191,11 +3191,11 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
 	Elf_Scn *scn;
 	Elf64_Shdr *sh;
 
-	/* ELF section indices are 1-based, so allocate +1 element to keep
-	 * indexing simple. Also include 0th invalid section into sec_cnt for
-	 * simpler and more traditional iteration logic.
+	/* ELF section indices are 0-based, but sec #0 is special "invalid"
+	 * section. e_shnum does include sec #0, so e_shnum is the necessary
+	 * size of an array to keep all the sections.
 	 */
-	obj->efile.sec_cnt = 1 + obj->efile.ehdr->e_shnum;
+	obj->efile.sec_cnt = obj->efile.ehdr->e_shnum;
 	obj->efile.secs = calloc(obj->efile.sec_cnt, sizeof(*obj->efile.secs));
 	if (!obj->efile.secs)
 		return -ENOMEM;
-- 
2.30.2

[PATCH bpf-next 5/5] libbpf: improve ELF relo sanitization

[Andrii Nakryiko]

Add few sanity checks for relocations to prevent div-by-zero and
out-of-bounds array accesses in libbpf.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
 tools/lib/bpf/libbpf.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index ecea4dfaca82..de8569ff4d47 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -3307,6 +3307,10 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
 		} else if (sh->sh_type == SHT_REL) {
 			int targ_sec_idx = sh->sh_info; /* points to other section */
 
+			if (sh->sh_entsize != sizeof(Elf64_Rel) ||
+			    targ_sec_idx >= obj->efile.sec_cnt)
+				return -LIBBPF_ERRNO__FORMAT;
+
 			/* Only do relo for section with exec instructions */
 			if (!section_have_execinstr(obj, targ_sec_idx) &&
 			    strcmp(name, ".rel" STRUCT_OPS_SEC) &&
@@ -4026,7 +4030,7 @@ static int
 bpf_object__collect_prog_relos(struct bpf_object *obj, Elf64_Shdr *shdr, Elf_Data *data)
 {
 	const char *relo_sec_name, *sec_name;
-	size_t sec_idx = shdr->sh_info;
+	size_t sec_idx = shdr->sh_info, sym_idx;
 	struct bpf_program *prog;
 	struct reloc_desc *relos;
 	int err, i, nrels;
@@ -4037,6 +4041,9 @@ bpf_object__collect_prog_relos(struct bpf_object *obj, Elf64_Shdr *shdr, Elf_Dat
 	Elf64_Sym *sym;
 	Elf64_Rel *rel;
 
+	if (sec_idx >= obj->efile.sec_cnt)
+		return -EINVAL;
+
 	scn = elf_sec_by_idx(obj, sec_idx);
 	scn_data = elf_sec_data(obj, scn);
 
@@ -4056,16 +4063,23 @@ bpf_object__collect_prog_relos(struct bpf_object *obj, Elf64_Shdr *shdr, Elf_Dat
 			return -LIBBPF_ERRNO__FORMAT;
 		}
 
-		sym = elf_sym_by_idx(obj, ELF64_R_SYM(rel->r_info));
+		sym_idx = ELF64_R_SYM(rel->r_info);
+		sym = elf_sym_by_idx(obj, sym_idx);
 		if (!sym) {
-			pr_warn("sec '%s': symbol 0x%zx not found for relo #%d\n",
-				relo_sec_name, (size_t)ELF64_R_SYM(rel->r_info), i);
+			pr_warn("sec '%s': symbol #%zu not found for relo #%d\n",
+				relo_sec_name, sym_idx, i);
+			return -LIBBPF_ERRNO__FORMAT;
+		}
+
+		if (sym->st_shndx >= obj->efile.sec_cnt) {
+			pr_warn("sec '%s': corrupted symbol #%zu pointing to invalid section #%zu for relo #%d\n",
+				relo_sec_name, sym_idx, (size_t)sym->st_shndx, i);
 			return -LIBBPF_ERRNO__FORMAT;
 		}
 
 		if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {
 			pr_warn("sec '%s': invalid offset 0x%zx for relo #%d\n",
-				relo_sec_name, (size_t)ELF64_R_SYM(rel->r_info), i);
+				relo_sec_name, (size_t)rel->r_offset, i);
 			return -LIBBPF_ERRNO__FORMAT;
 		}
 
-- 
2.30.2

Re: [PATCH bpf-next 1/5] libbpf: detect corrupted ELF symbols section

[Yonghong Song]

On 11/2/21 5:09 PM, Andrii Nakryiko wrote:
> Prevent divide-by-zero if ELF is corrupted and has zero sh_entsize.
> Reported by oss-fuzz project.
> 
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>

Acked-by: Yonghong Song <yhs@fb.com>

Re: [PATCH bpf-next 2/5] libbpf: improve sanity checking during BTF fix up

[Yonghong Song]

On 11/2/21 5:10 PM, Andrii Nakryiko wrote:
> If BTF is corrupted DATASEC's variable type ID might be incorrect.
> Prevent this easy to detect situation with extra NULL check.
> Reported by oss-fuzz project.
> 
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>

Ack with a nit below.
Acked-by: Yonghong Song <yhs@fb.com>

> ---
>   tools/lib/bpf/libbpf.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 71f5a009010a..4537ce6d54ce 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -2754,7 +2754,7 @@ static int btf_fixup_datasec(struct bpf_object *obj, struct btf *btf,
>   		t_var = btf__type_by_id(btf, vsi->type);
>   		var = btf_var(t_var);

Can we move the above 'var = ...' assignment after below if statement?

>   
> -		if (!btf_is_var(t_var)) {
> +		if (!t_var || !btf_is_var(t_var)) {
>   			pr_debug("Non-VAR type seen in section %s\n", name);
>   			return -EINVAL;
>   		}
> 

Re: [PATCH bpf-next 3/5] libbpf: validate that .BTF and .BTF.ext sections contain data

[Yonghong Song]

On 11/2/21 5:10 PM, Andrii Nakryiko wrote:
> .BTF and .BTF.ext ELF sections should have SHT_PROGBITS type and contain
> data. If they are not, ELF is invalid or corrupted, so bail out.
> Otherwise this can lead to data->d_buf being NULL and SIGSEGV later on.
> Reported by oss-fuzz project.
> 
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>

Acked-by: Yonghong Song <yhs@fb.com>

Re: [PATCH bpf-next 4/5] libbpf: fix section counting logic

[Yonghong Song]

On 11/2/21 5:10 PM, Andrii Nakryiko wrote:
> e_shnum does include section #0 and as such is exactly the number of ELF
> sections that we need to allocate memory for to use section indices as
> array indices. Fix the off-by-one error.
> 
> This is purely accounting fix, previously we were overallocating one
> too many array items. But no correctness errors otherwise.
> 
> Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>

Acked-by: Yonghong Song <yhs@fb.com>

Re: [PATCH bpf-next 5/5] libbpf: improve ELF relo sanitization

[Yonghong Song]

On 11/2/21 5:10 PM, Andrii Nakryiko wrote:
> Add few sanity checks for relocations to prevent div-by-zero and
> out-of-bounds array accesses in libbpf.
> 
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>

Acked-by: Yonghong Song <yhs@fb.com>

Re: [PATCH bpf-next 2/5] libbpf: improve sanity checking during BTF fix up

[Andrii Nakryiko]

On Tue, Nov 2, 2021 at 11:06 PM Yonghong Song <yhs@fb.com> wrote:
>
>
>
> On 11/2/21 5:10 PM, Andrii Nakryiko wrote:
> > If BTF is corrupted DATASEC's variable type ID might be incorrect.
> > Prevent this easy to detect situation with extra NULL check.
> > Reported by oss-fuzz project.
> >
> > Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
>
> Ack with a nit below.
> Acked-by: Yonghong Song <yhs@fb.com>
>
> > ---
> >   tools/lib/bpf/libbpf.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > index 71f5a009010a..4537ce6d54ce 100644
> > --- a/tools/lib/bpf/libbpf.c
> > +++ b/tools/lib/bpf/libbpf.c
> > @@ -2754,7 +2754,7 @@ static int btf_fixup_datasec(struct bpf_object *obj, struct btf *btf,
> >               t_var = btf__type_by_id(btf, vsi->type);
> >               var = btf_var(t_var);
>
> Can we move the above 'var = ...' assignment after below if statement?

it's safe as is because btf_var() is equivalent to pointer casting. I
considered doing a check before btf_var() cast, but that would require
a separate if and pr_debug statements which felt like an overkill.

>
> >
> > -             if (!btf_is_var(t_var)) {
> > +             if (!t_var || !btf_is_var(t_var)) {
> >                       pr_debug("Non-VAR type seen in section %s\n", name);
> >                       return -EINVAL;
> >               }
> >

Re: [PATCH bpf-next 2/5] libbpf: improve sanity checking during BTF fix up

[Andrii Nakryiko]

On Wed, Nov 3, 2021 at 9:36 AM Andrii Nakryiko
<andrii.nakryiko@gmail.com> wrote:
>
> On Tue, Nov 2, 2021 at 11:06 PM Yonghong Song <yhs@fb.com> wrote:
> >
> >
> >
> > On 11/2/21 5:10 PM, Andrii Nakryiko wrote:
> > > If BTF is corrupted DATASEC's variable type ID might be incorrect.
> > > Prevent this easy to detect situation with extra NULL check.
> > > Reported by oss-fuzz project.
> > >
> > > Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> >
> > Ack with a nit below.
> > Acked-by: Yonghong Song <yhs@fb.com>
> >
> > > ---
> > >   tools/lib/bpf/libbpf.c | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > > index 71f5a009010a..4537ce6d54ce 100644
> > > --- a/tools/lib/bpf/libbpf.c
> > > +++ b/tools/lib/bpf/libbpf.c
> > > @@ -2754,7 +2754,7 @@ static int btf_fixup_datasec(struct bpf_object *obj, struct btf *btf,
> > >               t_var = btf__type_by_id(btf, vsi->type);
> > >               var = btf_var(t_var);
> >
> > Can we move the above 'var = ...' assignment after below if statement?
>
> it's safe as is because btf_var() is equivalent to pointer casting. I
> considered doing a check before btf_var() cast, but that would require
> a separate if and pr_debug statements which felt like an overkill.

Oh, never mind, we don't validate var itself, so no need for extra if.
I'll post a v2 with this change.

>
> >
> > >
> > > -             if (!btf_is_var(t_var)) {
> > > +             if (!t_var || !btf_is_var(t_var)) {
> > >                       pr_debug("Non-VAR type seen in section %s\n", name);
> > >                       return -EINVAL;
> > >               }
> > >