Re: [PATCH bpf] bpf: add check for invalid name in btf_name_valid_section()

From: Alexei Starovoitov
Date: Wed Aug 28 2024 - 22:37:16 EST

Next message: Aaron Lu: "[PATCH] x86/sgx: Fix deadloop in __sgx_alloc_epc_page()"
Previous message: Muchun Song: "Re: [PATCH v1] memcg: add charging of already allocated slab objects"
Next in thread: Jeongjun Park: "Re: [PATCH bpf] bpf: add check for invalid name in btf_name_valid_section()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 23, 2024 at 3:43 AM Jeongjun Park <aha310510@xxxxxxxxx> wrote:
>
> If the length of the name string is 1 and the value of name[0] is NULL
> byte, an OOB vulnerability occurs in btf_name_valid_section() and the
> return value is true, so the invalid name passes the check.
>
> To solve this, you need to check if the first position is NULL byte.
>
> Fixes: bd70a8fb7ca4 ("bpf: Allow all printable characters in BTF DATASEC names")
> Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx>
> ---
> kernel/bpf/btf.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 520f49f422fe..5c24ea1a65a4 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -823,6 +823,9 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
> const char *src = btf_str_by_offset(btf, offset);
> const char *src_limit;
>
> + if (!*src)
> + return false;
> +

We've talked about it. Quote:
"Pls add a selftest that demonstrates the issue
and produce a patch to fix just that."

length == 1 and name[0] = 0 is a hypothesis.
Demonstrate that such a scenario is possible then this patch will be
worth applying.

pw-bot: cr

Next message: Aaron Lu: "[PATCH] x86/sgx: Fix deadloop in __sgx_alloc_epc_page()"
Previous message: Muchun Song: "Re: [PATCH v1] memcg: add charging of already allocated slab objects"
Next in thread: Jeongjun Park: "Re: [PATCH bpf] bpf: add check for invalid name in btf_name_valid_section()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]