Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
libbpf: Fix use-after-free in btf_dump_name_dups
ASAN reports an use-after-free in btf_dump_name_dups: ERROR: AddressSanitizer: heap-use-after-free on address 0xffff927006db at pc 0xaaaab5dfb618 bp 0xffffdd89b890 sp 0xffffdd89b928 READ of size 2 at 0xffff927006db thread T0 #0 0xaaaab5dfb614 in __interceptor_strcmp.part.0 (test_progs+0x21b614) truenas#1 0xaaaab635f144 in str_equal_fn tools/lib/bpf/btf_dump.c:127 truenas#2 0xaaaab635e3e0 in hashmap_find_entry tools/lib/bpf/hashmap.c:143 truenas#3 0xaaaab635e72c in hashmap__find tools/lib/bpf/hashmap.c:212 truenas#4 0xaaaab6362258 in btf_dump_name_dups tools/lib/bpf/btf_dump.c:1525 truenas#5 0xaaaab636240c in btf_dump_resolve_name tools/lib/bpf/btf_dump.c:1552 truenas#6 0xaaaab6362598 in btf_dump_type_name tools/lib/bpf/btf_dump.c:1567 truenas#7 0xaaaab6360b48 in btf_dump_emit_struct_def tools/lib/bpf/btf_dump.c:912 truenas#8 0xaaaab6360630 in btf_dump_emit_type tools/lib/bpf/btf_dump.c:798 truenas#9 0xaaaab635f720 in btf_dump__dump_type tools/lib/bpf/btf_dump.c:282 truenas#10 0xaaaab608523c in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:236 truenas#11 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875 truenas#12 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062 truenas#13 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697 truenas#14 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308 truenas#15 0xaaaab5d65990 (test_progs+0x185990) 0xffff927006db is located 11 bytes inside of 16-byte region [0xffff927006d0,0xffff927006e0) freed by thread T0 here: #0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4) truenas#1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191 truenas#2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163 truenas#3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106 truenas#4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157 truenas#5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519 truenas#6 0xaaaab6353e10 in btf__add_field tools/lib/bpf/btf.c:2032 truenas#7 0xaaaab6084fcc in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:232 truenas#8 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875 truenas#9 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062 truenas#10 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697 truenas#11 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308 truenas#12 0xaaaab5d65990 (test_progs+0x185990) previously allocated by thread T0 here: #0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4) truenas#1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191 truenas#2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163 truenas#3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106 truenas#4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157 truenas#5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519 truenas#6 0xaaaab6353ff0 in btf_add_enum_common tools/lib/bpf/btf.c:2070 truenas#7 0xaaaab6354080 in btf__add_enum tools/lib/bpf/btf.c:2102 truenas#8 0xaaaab6082f50 in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:162 truenas#9 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875 truenas#10 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062 truenas#11 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697 truenas#12 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308 truenas#13 0xaaaab5d65990 (test_progs+0x185990) The reason is that the key stored in hash table name_map is a string address, and the string memory is allocated by realloc() function, when the memory is resized by realloc() later, the old memory may be freed, so the address stored in name_map references to a freed memory, causing use-after-free. Fix it by storing duplicated string address in name_map. Fixes: 919d2b1 ("libbpf: Allow modification of BTF and add btf__add_str API") Signed-off-by: Xu Kuohai <[email protected]> Signed-off-by: Andrii Nakryiko <[email protected]> Acked-by: Martin KaFai Lau <[email protected]> Link: https://lore.kernel.org/bpf/[email protected]
- Loading branch information