BPF Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH bpf-next] bpf: fix static checker warning
@ 2019-11-26 23:01 Alexei Starovoitov
  2019-11-27  0:07 ` Daniel Borkmann
  0 siblings, 1 reply; 2+ messages in thread
From: Alexei Starovoitov @ 2019-11-26 23:01 UTC (permalink / raw)
  To: davem; +Cc: daniel, dan.carpenter, netdev, bpf, kernel-team

kernel/bpf/btf.c:4023 btf_distill_func_proto()
        error: potentially dereferencing uninitialized 't'.

kernel/bpf/btf.c
  4012          nargs = btf_type_vlen(func);
  4013          if (nargs >= MAX_BPF_FUNC_ARGS) {
  4014                  bpf_log(log,
  4015                          "The function %s has %d arguments. Too many.\n",
  4016                          tname, nargs);
  4017                  return -EINVAL;
  4018          }
  4019          ret = __get_type_size(btf, func->type, &t);
                                                       ^^
t isn't initialized for the first -EINVAL return

This is unlikely path, since BTF should have been validated at this point.
Fix it by returning 'void' BTF.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
 kernel/bpf/btf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 40efde5eedcb..bd5e11881ba3 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -3976,8 +3976,10 @@ static int __get_type_size(struct btf *btf, u32 btf_id,
 	t = btf_type_by_id(btf, btf_id);
 	while (t && btf_type_is_modifier(t))
 		t = btf_type_by_id(btf, t->type);
-	if (!t)
+	if (!t) {
+		*bad_type = btf->types[0];
 		return -EINVAL;
+	}
 	if (btf_type_is_ptr(t))
 		/* kernel size of pointer. Not BPF's size of pointer*/
 		return sizeof(void *);
-- 
2.23.0


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH bpf-next] bpf: fix static checker warning
  2019-11-26 23:01 [PATCH bpf-next] bpf: fix static checker warning Alexei Starovoitov
@ 2019-11-27  0:07 ` Daniel Borkmann
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Borkmann @ 2019-11-27  0:07 UTC (permalink / raw)
  To: Alexei Starovoitov, davem; +Cc: dan.carpenter, netdev, bpf, kernel-team

On 11/27/19 12:01 AM, Alexei Starovoitov wrote:
> kernel/bpf/btf.c:4023 btf_distill_func_proto()
>          error: potentially dereferencing uninitialized 't'.
> 
> kernel/bpf/btf.c
>    4012          nargs = btf_type_vlen(func);
>    4013          if (nargs >= MAX_BPF_FUNC_ARGS) {
>    4014                  bpf_log(log,
>    4015                          "The function %s has %d arguments. Too many.\n",
>    4016                          tname, nargs);
>    4017                  return -EINVAL;
>    4018          }
>    4019          ret = __get_type_size(btf, func->type, &t);
>                                                         ^^
> t isn't initialized for the first -EINVAL return
> 
> This is unlikely path, since BTF should have been validated at this point.
> Fix it by returning 'void' BTF.
> 
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Applied, thanks!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-26 23:01 [PATCH bpf-next] bpf: fix static checker warning Alexei Starovoitov
2019-11-27  0:07 ` Daniel Borkmann

BPF Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/bpf/0 bpf/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 bpf bpf/ https://lore.kernel.org/bpf \
		bpf@vger.kernel.org
	public-inbox-index bpf

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.bpf


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git