bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH bpf-next] libbpf: avoid reading past ELF data section end when copying license
@ 2021-12-14 23:20 Andrii Nakryiko
  2021-12-15  6:08 ` Alexei Starovoitov
  0 siblings, 1 reply; 2+ messages in thread
From: Andrii Nakryiko @ 2021-12-14 23:20 UTC (permalink / raw)
  To: bpf, ast, daniel; +Cc: andrii, kernel-team

Fix possible read beyond ELF "license" data section if the license
string is not properly zero-terminated. Use the fact that libbpf_strlcpy
never accesses the (N-1)st byte of the source string because it's
replaced with '\0' anyways.

If this happens, it's a violation of contract between libbpf and a user,
but not handling this more robustly upsets CIFuzz, so given the fix is
trivial, let's fix the potential issue.

Fixes: 9fc205b413b3 ("libbpf: Add sane strncpy alternative and use it internally")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
 tools/lib/bpf/libbpf.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 684c34ce1a26..cf862a19222b 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -1320,7 +1320,10 @@ static int bpf_object__check_endianness(struct bpf_object *obj)
 static int
 bpf_object__init_license(struct bpf_object *obj, void *data, size_t size)
 {
-	libbpf_strlcpy(obj->license, data, sizeof(obj->license));
+	/* libbpf_strlcpy() only copies first N - 1 bytes, so size + 1 won't
+	 * go over allowed ELF data section buffer
+	 */
+	libbpf_strlcpy(obj->license, data, min(size + 1, sizeof(obj->license)));
 	pr_debug("license of %s is %s\n", obj->path, obj->license);
 	return 0;
 }
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH bpf-next] libbpf: avoid reading past ELF data section end when copying license
  2021-12-14 23:20 [PATCH bpf-next] libbpf: avoid reading past ELF data section end when copying license Andrii Nakryiko
@ 2021-12-15  6:08 ` Alexei Starovoitov
  0 siblings, 0 replies; 2+ messages in thread
From: Alexei Starovoitov @ 2021-12-15  6:08 UTC (permalink / raw)
  To: Andrii Nakryiko; +Cc: bpf, Alexei Starovoitov, Daniel Borkmann, Kernel Team

On Tue, Dec 14, 2021 at 3:21 PM Andrii Nakryiko <andrii@kernel.org> wrote:
>
> Fix possible read beyond ELF "license" data section if the license
> string is not properly zero-terminated. Use the fact that libbpf_strlcpy
> never accesses the (N-1)st byte of the source string because it's
> replaced with '\0' anyways.
>
> If this happens, it's a violation of contract between libbpf and a user,
> but not handling this more robustly upsets CIFuzz, so given the fix is
> trivial, let's fix the potential issue.
>
> Fixes: 9fc205b413b3 ("libbpf: Add sane strncpy alternative and use it internally")
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>

Applied. Thanks

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-12-15  6:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-14 23:20 [PATCH bpf-next] libbpf: avoid reading past ELF data section end when copying license Andrii Nakryiko
2021-12-15  6:08 ` Alexei Starovoitov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).